Skip to content
Allegro Multimeter Manual

ARP module

The Address Resolution Protocol (ARP) is used on layer 2 to track which hardware (MAC address) uses which IP address. The ARP module monitors requests and replies and builds a database of all known MAC and IP addresses and their correlation. It also accounts possible spoofing alerts, when some computer send or reply with wrong MAC addresses, or multiple computers answer with the same IP. Those events may indicate some problem within the network, due to misconfiguration or an attack.

ARP Statistics

Section titled “ARP Statistics”

Overview

Section titled “Overview”

The Overview tab shows the number of all ARP requests seen, and the number of replies. The history graph shows the number over time. As usual, zooming can be applied to view a larger time window.

MAC addresses

Section titled “MAC addresses”

The MAC address tables shows for each MAC address the last assigned IP address, that is the IP address that has been announced by the corresponding MAC address. The time when this IP address has been announced is shown as well. The table includes the alternative names from other sources (such as DHCP, DNS, TLS, HTTP, etc) of the last IP. The column Different IPs seen lists all IPs that have been announced by the MAC address at some point in time. Many devices will just have a single IP, but when dynamic IP assignment is done (via DHCP or other methods), multiple IP addresses are as well possible. The column # mismatching MACs contains a counter about the number of possible conflicts in requests or replies. The counter increases when there is a mismatch of MAC addresses used in requests or replies (a different MAC address has been announced as sender than the actual packet was sent by). The value should always be zero, otherwise it indicates that a devices sends ARP request with a forged sender address.

IP addresses

Section titled “IP addresses”

The IP addresses tab displays the reverse direction, showing the MAC addresses used for each IP address. The table includes the alternative names from other sources (such as DHCP, DNS, TLS, HTTP, etc). The columns Latest MAC and Time of latest MAC show the latest MAC address that have announced to own the corresponding IP address, and the time of that announcement. The Different MACs seen column lists all MAC addresses that have announced to own the IP address at some point in time. Often an IP address is used by a device exclusively, but when dynamic IP assignment is used (via DHCP or other methods), multiple hardware devices may use the same IP address. This does not indicate a problem within the network. The # multiple MAC collisions column shows a counter of possible conflicts in IP usage. The counter is increased when multiple hardware devices announce to own the same IP address within a short amount of time. This may indicate some problem if those devices really use the same IP address. It may happen due to misconfiguration if two devices having the same fixed IP. It may also happen due to an attack in progress, if an attacking device wants to mimic another device.