Question : Double ARP Request to the Gateway

When running a packet capture on a normal workstation I am seeing many of my workstations sending out two arp requests to the gateway device.

A little information about the Network. The network consides of about 130workstations and 12servers. about 90 of the workstations are running windows xp sp2. and the Rest are running windows 2000 SP4. The servers are a mix of windows 2003SP2 and windows 2000 server SP4 and a few other server OSes. I do have three 24port 10/1000 managed Netgear Switches and about Ten 24port 10/100  Netgear unmanaged switches throughout the network. With a Sonicwall Pro 2040 Firewall serving as the Gateway for all the network devices.

What clued me into running packet capture on the network was the fact that at times the network seemed to be running slow. When I ran the packet capture several of the workstations and a couple of the Servers are sending out two ARP requests to the Gateway within ms of each other. When you run a packet capture at the sonicwall you will see where it received both packets and sent out a response for both packets. it doesn't seem to matter where you are at on the network you see this same type of broadcast traffic which if your run the packet capture on a workstation for about a minute I will receive over 600 packets and over 50-65% of them will be arp requests. what is even stranger is that on a workstation that is sending these double arp packets to the gateway will only send out one arp request to any other network device like a printer.

I have isolated a few of the problem workstations to try to figure out what the issue is and what I have tried is
Deleting and re detecting tcp/ip protocol
Deleting and reinstalling/Updating network card drivers
verifying Current patch level of OS
Check AV settings and scanned PC for Viruses. Tried Trend Micro, and Symantec
Isolated the workstation so I only had the Workstation, Packet Capture workstation, Switch and a spare Router.

I am running out of Ideas and if any of you would have any other suggestions I would greatly appreciate them.  I realize that ARP broadcasts are normal but I find it strange that some of the workstations and servers are sending a request out and without waiting sending out a second request.
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:

No.     Time        Source                Destination           Protocol Info
      2 0.062970    DellPcba_15:fa:ca     Broadcast             ARP      Who has 192.0.0.3?  Tell 192.0.0.79
 
Frame 2 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: DellPcba_15:fa:ca (00:0d:56:15:fa:ca), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
 
No.     Time        Source                Destination           Protocol Info
      3 0.064032    DellPcba_15:fa:ca     Broadcast             ARP      Who has 192.0.0.3?  Tell 192.0.0.79
 
Frame 3 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: DellPcba_15:fa:ca (00:0d:56:15:fa:ca), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
 
No.     Time        Source                Destination           Protocol Info
      4 0.276591    HewlettP_3a:c2:34     Broadcast             ARP      Who has 192.0.0.3?  Tell 192.0.0.8
 
Frame 4 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: HewlettP_3a:c2:34 (00:12:79:3a:c2:34), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
 
No.     Time        Source                Destination           Protocol Info
      5 0.277333    HewlettP_3a:c2:34     Broadcast             ARP      Who has 192.0.0.3?  Tell 192.0.0.8
 
Frame 5 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: HewlettP_3a:c2:34 (00:12:79:3a:c2:34), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
Open in New Window
Select All

Answer : Double ARP Request to the Gateway

How can I assign out Points without marking one of his messages as the Solution? I don't have a issue assigning the points to him. While the comments he left while very Vaid comments they really didn't have a final impact on me discovering the Solution.

If you must know the final solution was discover in accident with a converation between a old coworker and me as we were talking about all the dead ends I was finding in reguards to this issue.  Of all the placed and people I chatted to we never gave a thought that a service loaded on the PCs would directly cause this issue.


here is the Patch information in reguards to Trend Micro Office scan. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:

Trend Micro, Inc.                                   September 17, 2007
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                 OfficeScan Corporate Edition(TM) version 8.0
                             Patch 1.1 - build 1117
 
 
4. After applying this patch, Tmlisten no longer monitors IP route
      table changes and only monitors IP changes, which resolves the
      following issues:
 
    - Tmlisten sends ARP requests to the gateway server every 30 seconds,
      which results in ARP flooding.
 
    - Tmlisten monitors changes to the IP and the IP route table. IP
      route table change is an event signaled by the Windows operating
      system. Frequent changes to the IP route table triggers the
      OfficeScan client to infinitely request cgiOnStart/cgiCheckIP/
      update configuration, which impacts memory usage.
Open in New Window
Select All
Random Solutions  
 
programming4us programming4us