What might be sending out an ARP request to every IP on a subnet exactly every 30 minutes on a Windows 2003 server box?
In other words, if the network is 192.168.0.x and the subnet mask is 255.255.255.0 we are seeing ARPs for:
192.168.0.1
192.168.0.2
192.168.0.3
etc. all the way through
192.168.0.255
except for the 3 computers that are actually in the subnet.
Is there some security feature in 2003 server that tries to detect new systems in a subnet?
ETA: Possible important clue:
All of the ARPs were coming from one computer. When that computer was taken off of the network, the ARPs started coming from a different windows 2003 server computer.
One suggestion is to boot in safe mode and see whether the arps go away. See what different services are running with/without arp.
If you download a tool called Angry IP Scanner it will do essentially the same thing, determine what addresses are taken and by what MAC/hostname/etc. Oddly enough, many AV programs will flag this as a threat, since it’s a handy tool for someone who wants to map your network.
the Master Browser, IIRC will broadcast on the subnet (not arp) and tally the replies. Arp is essentially a broadcast saying “Hello, who is x.x.x.x?” I cannot imagine any real need for a program to do this regularly. Jetadmin might be looking for a class of HP MAC addresses this way, but you’d think a simple broadcast would be equally effective.