> help me to understand this traffic pattern
Hi Rohit,
Let me try - it is relatively straightforward..
These lines:
> 13:28:02.565008 In arp who-has 192.168.0.1 tell 192.168.1.15
> 13:28:02.565023 In arp who-has 192.168.0.1 tell 192.168.1.15
mean that the host at 192.168.1.15 is trying to reach host 192.168.0.1, which is down/not answering.
The same happens here:
> 13:28:23.913378 In arp who-has 192.168.10.1 tell 192.168.1.109
> 13:28:23.913394 In arp who-has 192.168.10.1 tell 192.168.1.109
where 192.168.1.109 is trying to reach 192.168.10.1, which is down.
You would get the exact same behaviour if you run a packet capture program on your PC (i.e. Wireshark) and try to ping an unassigned address on your LAN.
So, if you are not using those two addresses, this traffic pattern is not surprising at all. If you are really curious, you may want to check why 192.168.1.15 and 192.168.1.109 are trying to reach those non-existent addresses.
About this, instead:
> 13:28:10.963482 Out IP truncated-ip - 272 bytes missing! 192.168.1.1.bootps > 255.255.255.255.bootpc:
> BOOTP/DHCP, Reply, length 300
.. it is not a real problem, and the datagram is not really truncated; it is only that by default "monitor traffic" only captures up to the transport header of every frame.
If you want to capture the whole frame, add "size 1500" (Ethernet MTU) to your "monitor traffic" command, and the frames will no longer show as truncated. One word of warning: I am told that the 'size' knob does not work on some low-end j-series though; can you try it on your?
Thanks,
Saverio