["Charlie Brenneman" <charlie@xxxxxxxx>]

I just ran a capture that is very puzzling to me.  I am hoping someone can shed some light on why this might be occurring. 

My capture shows about 5000 ESP packets in 15 seconds.  During this time frame the ability to ping nodes on my network became almost impossible.  As soon as nodes were responding to pings the ESP traffic was pretty much gone. In reviewing the packets it seems that they all have the same remote SRC IP and local DST IP, but SRC MAC alternates between 5 different MAC’s that are local to my network. And the DST MAC is the correct MAC for the DST IP. 

My question is why would I see this type of traffic?  Secondly why would all the packets show a local DST IP and DST MAC but show a remote SRC IP but the SRC MAC’s are 5 different local hosts.  This is happening on an ISP network with a few hundred DSL customers. 

Any help or ideas would be greatly appreciated.

Thanks,

Charlie