On Wednesday 26 May 2004 9:40 pm, eperez@xxxxxxxxxxx wrote:
> My network started to slow down a few days ago. So I installed latest
> ethereal and winpcap for windows in a NT Server 4.0. All the network
> is switched and I was trying to find some cause of slowdown. I am
> aware of the limitations of sniffing on a switched network so I set
> the switches to replicate traffic so i can see it with ethereal.
> So far so good, but in the main ethereal windows where it shows how
> many packets per protocol has received during the sniffing session I
> found that after 1 hour of sniffing 78% of my traffic was ARP and the
> rest was TCP(normal smb, tns, etc).
>
> All the network has windows machines (95,98,NT,2000,XP) all servers
> are NT 4.0 and the network has one PDC one BDC and one WINS server.
I've seen this twice recently. One was probably welchia; it sent ARPs to
successive IP addresses at intervals of about 20ms. The other was
probably XP misbehaving; it sent ARPs to a single machine that had been
pulled off the network, and did it at ridiculous frequency
(microseconds.)
--
Richard Urwin