Re: What is Ethernet doing when we are sleeping?
From: Dances With Crows (danSPANceswitTRAPhcrows_at_usa.net)
Date: 27 Sep 2003 15:52:53 GMT
On Sat, 27 Sep 2003 11:30:27 -0400, Mina Naguib staggered into the Black
Sun and said:
> Michel Hostettler wrote:
>> When all stations have no open applications, and just modem switch
>> on, what is the traffic on the LAN? Are there some frames, some
>> signals transmitted?
> In this day and age it's rare that absolutely no applications
> utilizing the network are running.
True, but a machine that's just running sshd+apache and not currently
being accessed shouldn't show any network activity. I *think* the
question that Michel is asking could be phrased as, "I have a
(cable)modem and several machines hooked to a switch/hub. I see the
blinking lights on the modem and/or hub flash a lot, even when the
machines aren't doing anything. Why?" Michel, écrivez en français si
vous preferez; je peux le lire.
I've seen similar things happening on my own little home LAN. The
switch doesn't report *any* traffic when I'm not using the Net at large
and no one's sshed into my machines or hit my very small, low traffic
personal website. My cablemodem's activity light blinks constantly.
Experiments with ethereal show that most of the traffic received on eth0
of the firewall/gateway is ARP requests from other cablemodems. (And, of
course, some idiot with a 'DozeXP machine trying to relay spam through
my mailserver every 5-6 seconds, but I can deal with that....)
> If your network is HUB-based, or you're willing to ARP-poison your own
> switches, you can use a linux/*BSD box plus Dug Song's excellent
> dsniff package to convince all nodes on the network that you're their
> gateway. This will then allow you to run any normal IP sniffer such
> as tcpdump or ethereal to actually inspect the data going through your
This may cause unintended consequences. Don't try this on anything
other than your own LAN. (Dug was in my Calc 116 class a long time ago.
Why didn't I listen to him when he tried to get me interested in
computer security in 1994? Argh.)
> If your network's mostly *nix-based, you won't be seeing too much
> except for the occasional ARP requests. On the other hand do expect a
> LOT of traffic (NetBios resources discovery, PDC elections, viruses)
> for windows boxes.
> The above only holds true of course if your claim that absolutely no
> networking aplications are running is true. Even something as common
> as NFS or a p2p client will generate a lot of traffic.
Yes, but something like ethereal will let you make sense of the major
threads of the traffic. NFS/eMule/Napster/SMB traffic is pretty easy to
pick out when you look at it in ethereal. It's the stuff you can't
explain that's annoying.
-- Matt G|There is no Darkness in Eternity/But only Light too dim for us to see Brainbench MVP for Linux Admin / mail: TRAP + SPAN don't belong http://www.brainbench.com / "He is a rhythmic movement of the -----------------------------/ penguins, is Tux." --MegaHAL