Is it normal to see "excessive" ARP requests from cable modem?

Question

I'm troubleshooting my home network because we are having frequent outages and slow connections. Very often the ASUS Wifi router shows that it has no WAN IP address. To view what might be going on I monitored traffic between the Wifi router and the cable modem using a switch with mirror port sending copies of the traffic to a Wireshark session. ( Below is the network diagram and screenshot of the Wireshark dump. ) The wireless router's WAN address is 76.87.168.205 and it's Gateway address, is 76.87.160.1. I'm not sure if the gateway is the cable modem its self, or if the cable modem acts as a pass through and the gateway is a router at the cable company's site.

Something that surprised me is that there appears to be an excessive amount of ARP request coming from the WAN gateway to devices on the WAN network, as can be seen in the Wireshark dump. What also surprised me are the ARP requests (circles in red) 10.56.0.1 and 45.51.240.1 on the 76.x.x.x WAN network.

Also, is the cable modem the IP gateway on the WAN side, 76.87.160.1, or is it a router at the ISP, or in our neighborhood somewhere? When i tracert 76.87.160.1 it returns a device name of cpe-76-87-160-1, for which I'm assuming cpe stands for customer premise equipment which I thought was the cable modem.

So if the cable modem is the gateway, why is it sending ARP request to IP addresses that were never on my network? Or, assuming that the GW is a router that serves our geographic area, are these ARP requests normal, or excessive? Do they indicate a problem?

Answer 1

The wireless router's WAN address is 76.87.168.205 and it's Gateway address, is 76.87.160.1. I'm not sure if the gateway is the cable modem its self

From the addressing as well as the shown latency, no, it looks like 76.87.160.1 is distant (and the cable modem is likely in some sort of bridge mode). It would be very unlikely for a residential network to have a modem that has its own public address pool like that, and your WAN address looks like it's part of a large pool (at least a /20).

Therefore, the requests are not coming from your cable modem itself – they are from the ISP's upstream gateway, and with a subnet this large (a /20 has 4096 addresses) the number of ARP requests will certainly add up.

Many of those ARP requests are likely caused by a botnet trying to scan inactive addresses, which therefore never stick around in the gateway's ARP cache for long (the "negative" entry expires after a few seconds), causing the next probe to generate another ARP request.

But even active addresses can expire from the ARP cache relatively quickly if they go idle for a few minutes or if the gateway proactively re-checks them after some interval, so if the subnet is large then it'll add up.

You didn't mention whether the shown source MAC address matched your modem's, but even if did, it could still be just the way "bridging" is done in cable modems (which I'm not at all familiar with).

When i tracert 76.87.160.1 it returns a device name of cpe-76-87-160-1, for which I'm assuming cpe stands for customer premise equipment which I thought was the cable modem.

Yes, but this looks a lot like procedurally generated rDNS entries – the other addresses in this pool are CPEs, and nobody simply added an exception to the algorithm to generate a different PTR for the gateway's address.

What also surprised me are the ARP requests (circles in red) 10.56.0.1 and 45.51.240.1 on the 76.x.x.x WAN network.

It is common for large ISPs to have address pools that consist of many smaller prefixes, and multiple IP subnets can easily coexist in the same L2 network. The same gateway (or even the same device in general) can have multiple IP addresses assigned to the same interface, either from the same subnet or different; e.g. 76.87.160.1 and 45.51.240.1 are probably the same device and 10.56.0.1 is probably its "management" address.