I recently was looking at some packet captures on my network when I realized something that seemed a bit strange to me. There was Linux machines (namely Ubuntu) that were sending ARP requests for machines and the frames had a destination MAC address of the actual machine. I checked the ARP cache on these machines and they of course had the correct MAC address in it's cache.
I was always taught and under the impression that ARP requests were always broadcast (destination FF:FF:FF:FF:FF:FF) It is as if since the machines had it's MAC address cached, it would not broadcast these frames unless the ARP cache was cleared. I verified this by deleting the ARP entry, and I viewed the first ARP request as broadcast, and subsequent ones unicast.
I guess this makes sense to reduce broadcast traffic, and it may be something that only Linux incorporates. Does anyone know the source of this behavior?
