Ethereal-users: Re: [Ethereal-users] 78 percent of ARP packets on the network

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: eperez@xxxxxxxxxxx
Date: Wed, 26 May 2004 18:27:55 -0500
Well, the network is a 139.60.0.0/255.255.0.0 doing natting to the outside via
PIX that NATs to 64.116.x.x. The network has around 200 machines.
Yes, I know the 139.x.x.x is wrong but somehow they decided that was a good
network (why do they want 65536 hosts in unknown to me..) But since they are
doing NATting I see no problem related to this ARP storm. The net numbering can
be fixed later.....

A few minutes ago we also discover IPX traffic. About 10%. So they have a case
of Lame sysadmins that do click-click-clik Windows installations.

It has several jetdirect devices that are know to do broadcasts (will be checked
and disabled if needed) but the devices are like a year old and the problem
just started a few days ago.

As per the validity of the ARP SRC and DST, I will check that tomorrow and do a
repost to this list.The ARP list is so hughe and it was already closing time
down here (gmt -5) that we were not able to verify it onsite.

It cannot be nachy/welchia worm because thats for Win2k/XP and they have a lot
of 95/98/NT machines. Only a few (less than 20) are XP Pro. Unless of course
somehow they got a way to infect those older OSs.

David: port mirroring is working fine.
Peter: Ill check SRC and DST tomorrow and do a repost.
Andrew: Well, Ill ditch MS technologies from my entire country if i could but i
cant in this case. LONG LIVE *nix
Brett: We also use static IPs. I will check for viruses using my personal laptop
since I dont trust any of the customer's computer.

Thanks to all, I will repost tomorrow.

Erick.

Quoting eperez@xxxxxxxxxxx:

> My network started to slow down a few days ago. So I installed latest
> ethereal
> and winpcap for windows in a NT Server 4.0. All the network is switched and
> I
> was trying to find some cause of slowdown. I am aware of the limitations of
> sniffing on a switched network so I set the switches to replicate traffic so
> i
> can see it with ethereal.
> So far so good, but in the main ethereal windows where it shows how many
> packets
> per protocol has received during the sniffing session I found that after 1
> hour
> of sniffing 78% of my traffic was ARP and the rest was TCP(normal smb, tns,
> etc).
> 
> All the network has windows machines (95,98,NT,2000,XP) all servers are NT
> 4.0
> and the network has one PDC one BDC and one WINS server.
> 
> I did a search on the mailing list but found no clue about it. Maybe this is
> normal but I just dont know.
> 
> Comments/Flames/Suggestions are welcomed.
> 
> Erick.
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>