Re: Question about High ARP load
From: MadMax (mwjanse_at_hotmail.com)
Date: 01/08/04
- Next message: Timo Nentwig: "nmap does not run as root"
- Previous message: Jozef Kutej: "Re: proftpd user account and directory access"
- In reply to: Graham Nicholls: "Re: Question about High ARP load"
- Next in thread: ch ganser: "Re: Question about High ARP load"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 08 Jan 2004 14:07:30 +0100
Guys,
Thanks for the info. Yes I used ethereal to check my network. I think I know
quite something about TCP/IP (everything from theory), but if in a
practical situation 17% of all network load is ARP-broadcasts, imho TCP/IP
is a crappy protocol. (I know, i know.... it is popular and we must use
it). ARP is just a helper subset of the TCP/IP suite.... We are not talking
about actual information transfers (to the end-user). I think that 17% is a
little to much overhead. Now to find the problem... Thanks for the virus
warning. I already use plenty of scanning (workstations, proxy and
smtp-servers), but i'll check it again, manually. All the arping is from
all machines, not from the MS clients only. (from the same subnet.....
x.x.x.1 is asking who has x.x.x.10 and x.x.x.55 is asking who has
x.x.x.24 ........stuff like that.........)
Thanks for the switch monitoring port hint..... Sometimes I forget that
Ethereal cannot do everything by itself! Man I love this tool!
ping -b 192.168.0.255 (to the broadcast addie) gives indeed alotta
arp-requests. Funny that all machines respond, except for the MS clients.
The network is performing reasonably well. (except for SMB-stuff from MS <->
MS, but SMB from *nix <-> *nix is pretty good)
Again thanks for the info, and I see what I can do about my ARP-load.
Perhaps, I can tweak the IP-stacks a little...
Max
Graham Nicholls wrote:
> MadMax wrote:
>
>> My network is showing me a high ARP-load. About 17%. It is fully switched
>> 100Mb on the servers and 10Mb for the workstations. So far the Layer 1
>> and 2 layout. I use IPv4 in a class C range.
>
> Don't forget that (assuming you're sniffing using ethereal, or similar),
> you'll only see broadcast traffic, as you're in a switched environment.
> Unless you can enable the monitoring ports in your switches, (which is
> vital for sorting problems), you'll never see non-broadcast traffic. BTW,
> look at what the arps are for - if they're outside your net, but a
> translation of your IP range to a class B - eg you have 10.1.2.3, and the
> arps are for 10.1.x.x, then you may have a virus on one of your internal
> machines, or if its coming from an internet router, then other machines on
> the same class b subnet as you (on the outside of your net, but connected
> to the same ISP) may have viruses - I think it was the Nachi or SOBIG
> virus
> that did this. What is happening is that a machine which is infected is
> trying to ping the whole of the class B network which you would be on if
> the netmask was a class b, so first the machine has to send arps out to
> discover the MAC address of those machines. Don't forget you won't see the
> subsequent pings, as you are switched. If your switches can't monitor,
> get a hub and connect the segment you want to monitor and your monitoring
> PC to the hub, then to the switch, and you will be able to see all the
> traffic on that particular segment.
>
> OTOH, 17 % of these being arps seems normal - the rest will be windoze
> crappy netbios stuff and others. How is your net performing?
>
>> (Layer 3) As OS-es I run Linux
>> (Redhat 9/Suse 9) and as workstations Linux (Suse 9 and Windows XP). It
>> is a small office environment. (Layer 456and7)
>>
>> Can anyone tell me if 17% ARP-load is normal?!
>>
> Synopsis:
> IME, not excessive, but can indicate virus infected machine on the lan.
>> Thanks,
>>
>> Max
> Regards,
> Graham
- Next message: Timo Nentwig: "nmap does not run as root"
- Previous message: Jozef Kutej: "Re: proftpd user account and directory access"
- In reply to: Graham Nicholls: "Re: Question about High ARP load"
- Next in thread: ch ganser: "Re: Question about High ARP load"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
