Using the AppResponse to troubleshoot a high number of ARP requests

Categories:
AppResponse (AppResponse Xpert Appliance)
Solution Number:
S27023
Last Modified:
2017-02-21
Issue

Customer is seeing a high number of AppResponse requests which are having a negative impact on network perfomance. How can I use the ARX appliance to discover the source of  these ARP broadcast storms?

Solution

There is no AppResponse pre-configured insight or report which will track down the source of the AppRespons request storm on your network. 

The AppRespons appliance is focused on the monitoring of layer 3 and layer 4 IP to IP traffic. AppRespons requests occur at the layer 2 level.  

  To investigate layer 2 traffic you would need a protocol analyzer type of application such as the ATX or Wireshark to analyse packet captures stored on the AppRespons appliance during the time frame of interest for clues as to the source of the ARP traffic.
 
If you do not have a license for ATX you can use a combination of wireshark and ARX to capture and review the broadcast traffic occurring at the time of these AppRespons broadcast storms. 
 
  1. Download and install wireshark (if you don't already have a copy in your toolkit) in order to review the packet capture contents and find the source of the ARP storm broadcast. *  
  2. Use the Packet Download manager ( java console -> tools-> packet download manager ) to access our HSC capture buffers for samples of the traffic occurring at the time of the storm. 
 
Once the Packet Download Manager tool is open you will want to:
  1. Use the "Specify Traffic to Preview" window to set the "from / to" time range for when the last broadcast storm occurred. You don't need to make any other changes to the "Specify Traffic to Preview" configuration. 
     
  2. Click OK
     
  3. After you click OK you will see the graph in the main window populate with a representation of the traffic volume occurring during the requested time frame. 
     
  4. Use your right mouse button to drag across and select the spike in traffic corresponding to the time of the broadcast event. 
     
  5. Once the area of interest is highlighted you click the "download " button. 
     
  6. Specify where you want the file to download - by default it goes to "Windows Temp Directory" (C:\users\username\appdata\local\temp
     
  7. Choose the "Headers only" option then click OK. 
 
Once the packet sample is downloaded you can navigate to it and open with wireshark to continue your investigation into the source of the ARP requests in question.
 
NOTE: there are two files downloaded - you want the file whose name begins with "rolling buffer" that is the packet capture file. 
 
Once you have opened the "rolling buffer ..." packet capture in Wire shark the rest will be simple but possibly a little tedious. 
 
If you are an experienced Wireshark user I'm sure you have your own methods of setting up filters. 
 
If you are new to wireshark then these instructions below should get you started: 
  1. Click on the column label "protocol " to sort the packet header by messages contained in the captured packet headers. 
     
  2. Scroll and review the information summaries in the corresponding info column. You should see the ARP broadcast requests. Review the Source column and the info column to hopefully find your culprit.  
Here are some links to our latest documentation which will help you: 
 
AppResponse ver9.6.1 User Guide: 
 
https://support.riverbed.com/bin/support/download?did=snf8h0g3p2ec9nuin8lk6krmrt&version=9.6.1
 
 
Search for "Packet Download Manager" for more details about accessing HSC packets. 
 
AND  - Here is a link to the online help - which is very useful: 
 
AppResponse v9.6.1 Online Help 
 
https://support.riverbed.com/bin/support/static/ad5s6lr7nv38vg3uurdu4iuti8/html/h4d3ts6u61bohg95fqt7a6h5as/appresponse96/wwhelp/wwhimpl/js/html/wwhelp.htm
 
 

 

Attachments
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case