LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 05-03-2007, 09:40 AM   #1
deepakna
LQ Newbie
 
Registered: Feb 2007
Posts: 11

Rep: Reputation: 0
Unhappy Tooooo many ARP packets on network


Hello,

Not sure if i should be asking this question in here or linux-security...

I have a strange problem in my network, ARP packets are being flooded into the network to the extent that sometimes the network chokes for a moment..as the below entries show every second there are 4ARP packets on the network and for every ARP packet there is STP(spanning tree protocol ) on the network, am using all linux machine in the office with 10.34.0.0/16 and not sure for where the 192.168.1.1 series is popping up on the network..Could somebody Pleaseeeeeeee help me resolve this issue.. Thanking you all in advance and any more info required on this please let me know.

root@inlogin001 root]# tcpdump -i eth0 | grep who-has
tcpdump: listening on eth0
19:00:50.298506 arp who-has 192.168.1.1 tell 192.168.1.10
19:00:50.848472 arp who-has ls.montalvosystems.in tell mboopathy.montalvosystems.in
19:00:50.858471 arp who-has pixin.montalvosystems.in tell mboopathy.montalvosystems.in
19:00:50.878470 arp who-has rdenduluri.montalvosystems.in tell ls.montalvosystems.in
19:00:51.948404 arp who-has ls.montalvosystems.in tell kharsha.montalvosystems.in
19:00:52.298382 arp who-has 192.168.1.1 tell 192.168.1.10
19:00:54.298258 arp who-has 192.168.1.1 tell 192.168.1.10
19:00:56.298135 arp who-has 192.168.1.1 tell 192.168.1.10
19:00:58.298011 arp who-has 192.168.1.1 tell 192.168.1.10
19:01:00.297888 arp who-has 192.168.1.1 tell 192.168.1.10
19:01:02.297764 arp who-has 192.168.1.1 tell 192.168.1.10
19:01:03.207708 arp who-has collector.montalvosystems.in tell mitsrv01.montalvosystems.in
19:01:04.297640 arp who-has 192.168.1.1 tell 192.168.1.10
19:01:06.297517 arp who-has 192.168.1.1 tell 192.168.1.10
19:01:07.027472 arp who-has pdcin.montalvosystems.in tell RameshSubbarao.montalvosystems.in
19:01:08.297393 arp who-has 192.168.1.1 tell 192.168.1.10
 
Old 05-03-2007, 09:47 AM   #2
deepakna
LQ Newbie
 
Registered: Feb 2007
Posts: 11

Original Poster
Rep: Reputation: 0
Unhappy Arp

This for the mirrored PIX port.....just a bit more info

[root@snooper ~]# tethereal -i eth1
Capturing on eth1
0.000000 00000000.0800372592b1 -> 00000000.ffffffffffff IPX SAP General Response
0.103702 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
0.773880 00:1a:92:2b:70:ca -> Broadcast ARP Who has 10.34.0.1? Tell 10.34.2.124
0.932634 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
1.057887 IntelCor_d5:87:09 -> Broadcast ARP Who has 10.34.2.183? Tell 10.34.0.23
1.406644 10.34.0.53 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
1.422914 10.34.0.53 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
1.436901 10.34.0.53 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
1.451834 10.34.0.53 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
2.103475 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
2.932935 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
4.103635 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
4.932766 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
6.104811 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
6.932985 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
8.104044 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
8.933671 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
9.557296 10.34.2.219 -> 239.2.11.71 UDP Source port: filenet-pa Destination port: 8649
10.106019 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
10.932248 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
12.105756 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
12.632525 Intel_0f:61:0d -> Broadcast ARP Who has 10.34.0.24? Tell 10.34.2.229
12.932862 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
13.330512 10.34.0.54 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
13.344944 10.34.0.54 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
13.349675 10.34.0.54 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
13.360465 10.34.0.54 -> 239.255.255.250 SSDP NOTIFY * HTTP/1.1
13.890095 AsustekC_dc:3d:f6 -> Broadcast ARP Who has 10.34.0.24? Tell 10.34.2.236
14.105199 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
14.316494 10.34.2.219 -> 239.2.11.71 UDP Source port: filenet-pa Destination port: 8649
14.316498 10.34.2.219 -> 239.2.11.71 UDP Source port: filenet-pa Destination port: 8649
14.316499 10.34.2.219 -> 239.2.11.71 UDP Source port: filenet-pa Destination port: 8649
14.698209 00000000.000e7fe8a1b0 -> 00000000.ffffffffffff IPX SAP General Response
14.932816 FoundryN_87:9a:df -> Spanning-tree-(for-bridges)_00 STP RST. Root = 32769/00:0c:db:87:6e:10 Cost = 10000 Port = 0x802f
16.103910 Giga-Byt_e5:7b:fe -> Broadcast ARP Who has 192.168.1.1? Tell 192.168.1.10
35 packets captured
 
Old 05-04-2007, 04:59 PM   #3
Schema
LQ Newbie
 
Registered: May 2007
Posts: 3

Rep: Reputation: 0
Hi deepakna,
While that traffic is annoying, I sincerely doubt that it's causing any detectable latency, at least not at the levels that you posted. STP traffic is legitimately broadcast every two seconds; you could adjust the interval if you really wanted to (or disable if it's an edge port), but a packet every two seconds is trivial. Try to track down the source MACs of those 192.168.1.1 ARPs; you'll need to google the vendor prefix(es) for GigaByte to get the full MAC (e.g. 12:34:56:E5:7B:FE), then check your switches for which port they're known on. It's possible that you're seeing traffic from that 192 network being inadvertently bridged onto your 10.34.0.0.
 
Old 05-04-2007, 05:12 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
sounds about right, although you can get the full mac address just by adding an extra -n to the tethereal command so it won't try and resolve the MAC OUI's for you. but i'd assume the fact that it's clearly a GigaByte device would be a pretty good start.

Last edited by acid_kewpie; 05-04-2007 at 05:13 PM.
 
Old 05-05-2007, 11:44 AM   #5
Schema
LQ Newbie
 
Registered: May 2007
Posts: 3

Rep: Reputation: 0
Good point, saves you some time if the vendor has been assigned multiple OUIs, which is usually the case.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can we block arp packets? Linux.tar.gz Linux - Networking 13 09-13-2011 03:18 AM
Need Help to extractation from ARP packets waqqasar Programming 0 07-11-2006 07:33 AM
What are ARP packets? abefroman Linux - Security 2 05-23-2005 01:52 AM
my network is flooded with ARP packets !? qwijibow Linux - Security 16 11-03-2004 11:32 AM
Why am I flooding my network with ARP packets? DocKarl Linux - Networking 0 05-07-2004 07:47 AM


All times are GMT -5. The time now is 11:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration