LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Constant traffic on new cable (https://www.linuxquestions.org/questions/linux-networking-3/constant-traffic-on-new-cable-28278/)

Tekime 08-19-2002 03:40 PM
Constant traffic on new cable
 
I use a Slackware 8.1/P233 box as a masquereding gateway for my LAN. I recently switched from Verizon DSL to RoadRunner Cable, and I'm seeing a huge amount of traffic going across my external NIC, rotating primarily around my new DNS providers.

I'll include a chunk of what tcpump is showing me below. I'm using IPTABLES/masquereding and dhcpcd. Everything works, albeit some freak blackouts 3-4 days ago; I can get on-line from my masquereded computers, and my FT/web etc. servers are accessible.

I just don't want to be either generating a ton of traffic for RR DNS, or wasting bandwidth and degrading my connection dealing with all this traffic.

Any ideas would be very helpful, until this is resolved I'm not using my cable and I would really like to get it back online.


From tcpdump -i eth1:

00:25:28.612259 arp who-has 10.96.84.76 tell 10.96.80.1
00:25:28.612430 arp who-has 10.96.245.251 tell 10.96.240.1
00:25:28.612726 arp who-has ptd-24-198-16-106.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.613119 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34976+ PTR? 76.84.96.10.in-addr.arpa. (42) (DF) (ttl 64, id 19670, len 70)
00:25:28.614123 arp who-has cmldme-cmt1-2nd-24-31-154-230.maine.rr.com tell cmldme-cmt1-2nd-gw.maine.rr.com
00:25:28.614296 arp who-has 10.96.244.104 tell 10.96.240.1
00:25:28.614479 arp who-has 10.96.86.191 tell 10.96.80.1
00:25:28.614688 arp who-has 10.96.85.114 tell 10.96.80.1
00:25:28.616225 arp who-has 10.96.92.179 tell 10.96.80.1
00:25:28.616710 arp who-has 10.96.85.113 tell 10.96.80.1
00:25:28.616881 arp who-has 10.96.85.97 tell 10.96.80.1
00:25:28.617046 arp who-has 10.96.84.106 tell 10.96.80.1
00:25:28.617720 arp who-has 10.96.85.127 tell 10.96.80.1
00:25:28.640836 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34976 NXDomain* q: PTR? 76.84.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr. (134) (DF) (ttl 252, id 25362, len 162)
00:25:28.641757 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34977+ PTR? 251.245.96.10.in-addr.arpa. (44) (DF) (ttl 64, id 19673, len 72)
00:25:28.666874 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34977 NXDomain* q: PTR? 251.245.96.10.in-addr.arpa. 0/1/0 ns: 10.in-add[|domain] (DF) (ttl 252, id 25363, len 164)
00:25:28.667732 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34978+ PTR? 106.16.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19675, len 72)
00:25:28.677928 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34978* q: PTR? 106.16.198.24.in-addr.arpa. 1/2/2 106.16.19[|domain] (DF) (ttl 252, id 25364, len 228)
00:25:28.678970 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34979+ PTR? 230.154.31.24.in-addr.arpa. (44) (DF) (ttl 64, id 19676, len 72)
00:25:28.689953 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34979* q: PTR? 230.154.31.24.in-addr.arpa. 1/2/2 230.154.3[|domain] (DF) (ttl 252, id 25365, len 240)
00:25:28.690864 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34980+ PTR? 104.244.96.10.in-addr.arpa. (44) (DF) (ttl 64, id 19677, len 72)
00:25:28.715916 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34980 NXDomain* q: PTR? 104.244.96.10.in-addr.arpa. 0/1/0 ns: 10.in-add[|domain] (DF) (ttl 252, id 25366, len 164)
00:25:28.716779 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34981+ PTR? 191.86.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19680, len 71)
00:25:28.741944 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34981 NXDomain* q: PTR? 191.86.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25367, len 163)
00:25:28.742801 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34982+ PTR? 114.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19683, len 71)
00:25:28.758386 arp who-has ptd-24-198-24-59.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.767945 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34982 NXDomain* q: PTR? 114.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25368, len 163)
00:25:28.768801 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34983+ PTR? 179.92.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19685, len 71)
00:25:28.795991 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34983 NXDomain* q: PTR? 179.92.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25369, len 163)
00:25:28.796921 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34984+ PTR? 113.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19688, len 71)
00:25:28.814433 arp who-has ptd-24-198-25-223.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.822487 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34984 NXDomain* q: PTR? 113.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25370, len 163)
00:25:28.823346 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34985+ PTR? 97.85.96.10.in-addr.arpa. (42) (DF) (ttl 64, id 19691, len 70)
00:25:28.849031 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34985 NXDomain* q: PTR? 97.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr. (134) (DF) (ttl 252, id 25371, len 162)
00:25:28.849885 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34986+ PTR? 106.84.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19693, len 71)
00:25:28.874057 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34986 NXDomain* q: PTR? 106.84.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25372, len 163)
00:25:28.874911 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34987+ PTR? 127.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19696, len 71)
00:25:28.900577 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34987 NXDomain* q: PTR? 127.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25373, len 163)
00:25:28.902902 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34988+ PTR? 59.24.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19699, len 71)
00:25:28.912113 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34988 q: PTR? 59.24.198.24.in-addr.arpa. 1/2/2 59.24.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25374, len 200)
00:25:28.913748 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34989+ PTR? 223.25.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19700, len 72)
00:25:28.924134 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34989 q: PTR? 223.25.198.24.in-addr.arpa. 1/2/2 223.25.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25375, len 202)
00:25:29.025111 arp who-has ptd-24-198-26-60.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.025889 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34990+ PTR? 60.26.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19711, len 71)
00:25:29.035731 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34990 q: PTR? 60.26.198.24.in-addr.arpa. 1/2/2 60.26.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25376, len 200)
00:25:29.594614 arp who-has cmldme-cmt1-2nd-24-31-155-203.maine.rr.com tell cmldme-cmt1-2nd-gw.maine.rr.com
00:25:29.595352 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34991+ PTR? 203.155.31.24.in-addr.arpa. (44) (DF) (ttl 64, id 19768, len 72)
00:25:29.605739 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34991 q: PTR? 203.155.31.24.in-addr.arpa. 1/2/2 203.155.31.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25377, len 214)
00:25:29.662151 arp who-has ptd-24-198-22-99.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.662900 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34992+ PTR? 99.22.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19775, len 71)
00:25:29.670673 arp who-has ptd-24-198-21-222.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.672748 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34992 q: PTR? 99.22.198.24.in-addr.arpa. 1/2/2 99.22.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25378, len 200)
00:25:29.673787 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34993+ PTR? 222.21.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19776, len 72)
00:25:29.682782 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34993 q: PTR? 222.21.198.24.in-addr.arpa. 1/2/2 222.21.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25379, len 202)
00:25:29.725721 arp who-has ptd-24-198-17-190.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.726456 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34994+ PTR? 190.17.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19781, len 72)
00:25:29.738352 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34994* q: PTR? 190.17.198.24.in-addr.arpa. 1/2/2 190.17.19[|domain] (DF) (ttl 252, id 25380, len 228)
00:25:29.880859 arp who-has dt066n21.maine.rr.com tell tas6-qe6.maine.rr.com
00

And it goes on..... you can see how many times a second I'm seeing a request.

Mara 08-19-2002 03:49 PM
It depends how big network you have. For a bigger one, it may be normal. I suggest a dns installation (may be caching-only), it helps much.

Tekime 08-19-2002 03:51 PM
No, at the time I only have one other computer on my LAN, I'm still using DSL on my primary comp. until this is fixed.

And I'm sorry if I'm a newb but by dns installation do you mean installing a DNS on my gateway?

Thanks very much for your help

rohang 08-19-2002 06:53 PM
Yeah, I think what they're getting at is to use BIND and run a cacheing only name server to help minimise the amount of DNS traffic that's going over your link.

Tekime 08-19-2002 07:08 PM
Do you think running a nameserver will help then?

None of these ARP requests are coming form my LAN. None of this traffic is passing through my internal interface, it is only on my external interface to the cable modem. It looks like most of these requests are coming from my DNS.

I'm also seeing now arp who-has ptd-24-198-*-* tell ptd-24-198-16-1, and 24.198.16.1 has been configured as my gateway for eth1 (external).

It just seems like a huge number of requests coming in from my DNS, and my gateway trying to respond to the requests. I don't understand how starting my own nameserver will help this; but I could be completely wrong.

Please, any and all help will be highly appreciated! ;) I've spent three days trying to figure this out and I have to use it eventually!

Thanks :)

rohang 08-19-2002 07:25 PM
Remember, that ARP requests are different from DNS requests.

If you look at the OSI model, ARP isn't even layer 3, rather it's layer 2.

Cable modem networks are traditionally fully bridged (the cable modem is the bridge) so you'll see some ARP traffic.

It does also depend on how long the leases on the IP address are, that the DHCP server is handing out.

peter_robb 08-20-2002 02:43 AM
Are you running arpwatch on your box?

If so, you will have your eth1 in promiscuous mode, and you will see TONS of traffic.
I have my '/etc/sysconfig/arpwatch' to only look internally.
I added '-i eth0' to the options string.

type 'ifconfig' and see if your cards are in promiscuous mode.

Regards,
Peter

Tekime 08-20-2002 07:55 AM
I belive they are in promiscuous mode. I remember seeing 'Entering promiscuous mode' and 'Leaving promiscuous mode' in my logs when I ran tcpdump. I'm not familiar with arpwatch and I'm not at my box to check.

I set up my cable modem on a Windows machine last night and installed Ethereal. According to Ethereal I'm seeing just as much ARP traffic as on my Linux box, so I guess it's not me.

At least I know this is probably normal, so I can get my system back up and running. Thanks a ton everyone, any other ideas that can help me understand this better would still be very welcome.

peter_robb 09-03-2002 05:17 AM
A short description...

IP numbers are used for routing. Pc's look at the numbers to see where the pc lives, whether on a local cable, or on a distant cable. If it is distant, it sends the packet to a default gateway device, router, which sends it on again.

If it is local, it sends the packet to the MAC address of the pc.
To find the MAC address it can BROADCAST and wait for the card to reply, "yes, Iam xxx.xxx.xxx.xx and my MAC is xx.xx.xx.xx.xx.xx"

You are seeing all the BROADCASTing on your ISP's cable.
You will only see this if your ethernet cards are in promiscuous mode,
so a piece of software is doing this. Maybe arpwatch, maybe Ethereal etc

type 'chkconfig --list' and see if one of those is listed and is ON for your runlevel, 5 for X-Windows, 3 for command line.
You won't need it on for a single pc.

Regards,
Peter


All times are GMT -5. The time now is 07:04 PM.