LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-19-2002, 04:40 PM   #1
Tekime
Member
 
Registered: Feb 2002
Location: East Coast USA
Distribution: Slackware
Posts: 53

Rep: Reputation: 15
Constant traffic on new cable


I use a Slackware 8.1/P233 box as a masquereding gateway for my LAN. I recently switched from Verizon DSL to RoadRunner Cable, and I'm seeing a huge amount of traffic going across my external NIC, rotating primarily around my new DNS providers.

I'll include a chunk of what tcpump is showing me below. I'm using IPTABLES/masquereding and dhcpcd. Everything works, albeit some freak blackouts 3-4 days ago; I can get on-line from my masquereded computers, and my FT/web etc. servers are accessible.

I just don't want to be either generating a ton of traffic for RR DNS, or wasting bandwidth and degrading my connection dealing with all this traffic.

Any ideas would be very helpful, until this is resolved I'm not using my cable and I would really like to get it back online.


From tcpdump -i eth1:

00:25:28.612259 arp who-has 10.96.84.76 tell 10.96.80.1
00:25:28.612430 arp who-has 10.96.245.251 tell 10.96.240.1
00:25:28.612726 arp who-has ptd-24-198-16-106.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.613119 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34976+ PTR? 76.84.96.10.in-addr.arpa. (42) (DF) (ttl 64, id 19670, len 70)
00:25:28.614123 arp who-has cmldme-cmt1-2nd-24-31-154-230.maine.rr.com tell cmldme-cmt1-2nd-gw.maine.rr.com
00:25:28.614296 arp who-has 10.96.244.104 tell 10.96.240.1
00:25:28.614479 arp who-has 10.96.86.191 tell 10.96.80.1
00:25:28.614688 arp who-has 10.96.85.114 tell 10.96.80.1
00:25:28.616225 arp who-has 10.96.92.179 tell 10.96.80.1
00:25:28.616710 arp who-has 10.96.85.113 tell 10.96.80.1
00:25:28.616881 arp who-has 10.96.85.97 tell 10.96.80.1
00:25:28.617046 arp who-has 10.96.84.106 tell 10.96.80.1
00:25:28.617720 arp who-has 10.96.85.127 tell 10.96.80.1
00:25:28.640836 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34976 NXDomain* q: PTR? 76.84.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr. (134) (DF) (ttl 252, id 25362, len 162)
00:25:28.641757 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34977+ PTR? 251.245.96.10.in-addr.arpa. (44) (DF) (ttl 64, id 19673, len 72)
00:25:28.666874 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34977 NXDomain* q: PTR? 251.245.96.10.in-addr.arpa. 0/1/0 ns: 10.in-add[|domain] (DF) (ttl 252, id 25363, len 164)
00:25:28.667732 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34978+ PTR? 106.16.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19675, len 72)
00:25:28.677928 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34978* q: PTR? 106.16.198.24.in-addr.arpa. 1/2/2 106.16.19[|domain] (DF) (ttl 252, id 25364, len 228)
00:25:28.678970 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34979+ PTR? 230.154.31.24.in-addr.arpa. (44) (DF) (ttl 64, id 19676, len 72)
00:25:28.689953 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34979* q: PTR? 230.154.31.24.in-addr.arpa. 1/2/2 230.154.3[|domain] (DF) (ttl 252, id 25365, len 240)
00:25:28.690864 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34980+ PTR? 104.244.96.10.in-addr.arpa. (44) (DF) (ttl 64, id 19677, len 72)
00:25:28.715916 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34980 NXDomain* q: PTR? 104.244.96.10.in-addr.arpa. 0/1/0 ns: 10.in-add[|domain] (DF) (ttl 252, id 25366, len 164)
00:25:28.716779 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34981+ PTR? 191.86.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19680, len 71)
00:25:28.741944 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34981 NXDomain* q: PTR? 191.86.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25367, len 163)
00:25:28.742801 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34982+ PTR? 114.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19683, len 71)
00:25:28.758386 arp who-has ptd-24-198-24-59.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.767945 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34982 NXDomain* q: PTR? 114.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25368, len 163)
00:25:28.768801 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34983+ PTR? 179.92.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19685, len 71)
00:25:28.795991 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34983 NXDomain* q: PTR? 179.92.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25369, len 163)
00:25:28.796921 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34984+ PTR? 113.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19688, len 71)
00:25:28.814433 arp who-has ptd-24-198-25-223.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.822487 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34984 NXDomain* q: PTR? 113.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25370, len 163)
00:25:28.823346 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34985+ PTR? 97.85.96.10.in-addr.arpa. (42) (DF) (ttl 64, id 19691, len 70)
00:25:28.849031 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34985 NXDomain* q: PTR? 97.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr. (134) (DF) (ttl 252, id 25371, len 162)
00:25:28.849885 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34986+ PTR? 106.84.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19693, len 71)
00:25:28.874057 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34986 NXDomain* q: PTR? 106.84.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25372, len 163)
00:25:28.874911 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34987+ PTR? 127.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19696, len 71)
00:25:28.900577 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34987 NXDomain* q: PTR? 127.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25373, len 163)
00:25:28.902902 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34988+ PTR? 59.24.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19699, len 71)
00:25:28.912113 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34988 q: PTR? 59.24.198.24.in-addr.arpa. 1/2/2 59.24.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25374, len 200)
00:25:28.913748 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34989+ PTR? 223.25.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19700, len 72)
00:25:28.924134 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34989 q: PTR? 223.25.198.24.in-addr.arpa. 1/2/2 223.25.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25375, len 202)
00:25:29.025111 arp who-has ptd-24-198-26-60.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.025889 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34990+ PTR? 60.26.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19711, len 71)
00:25:29.035731 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34990 q: PTR? 60.26.198.24.in-addr.arpa. 1/2/2 60.26.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25376, len 200)
00:25:29.594614 arp who-has cmldme-cmt1-2nd-24-31-155-203.maine.rr.com tell cmldme-cmt1-2nd-gw.maine.rr.com
00:25:29.595352 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34991+ PTR? 203.155.31.24.in-addr.arpa. (44) (DF) (ttl 64, id 19768, len 72)
00:25:29.605739 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34991 q: PTR? 203.155.31.24.in-addr.arpa. 1/2/2 203.155.31.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25377, len 214)
00:25:29.662151 arp who-has ptd-24-198-22-99.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.662900 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34992+ PTR? 99.22.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19775, len 71)
00:25:29.670673 arp who-has ptd-24-198-21-222.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.672748 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34992 q: PTR? 99.22.198.24.in-addr.arpa. 1/2/2 99.22.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25378, len 200)
00:25:29.673787 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34993+ PTR? 222.21.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19776, len 72)
00:25:29.682782 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34993 q: PTR? 222.21.198.24.in-addr.arpa. 1/2/2 222.21.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25379, len 202)
00:25:29.725721 arp who-has ptd-24-198-17-190.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.726456 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34994+ PTR? 190.17.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19781, len 72)
00:25:29.738352 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34994* q: PTR? 190.17.198.24.in-addr.arpa. 1/2/2 190.17.19[|domain] (DF) (ttl 252, id 25380, len 228)
00:25:29.880859 arp who-has dt066n21.maine.rr.com tell tas6-qe6.maine.rr.com
00


And it goes on..... you can see how many times a second I'm seeing a request.
 
Old 08-19-2002, 04:49 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,623

Rep: Reputation: 208Reputation: 208Reputation: 208
It depends how big network you have. For a bigger one, it may be normal. I suggest a dns installation (may be caching-only), it helps much.
 
Old 08-19-2002, 04:51 PM   #3
Tekime
Member
 
Registered: Feb 2002
Location: East Coast USA
Distribution: Slackware
Posts: 53

Original Poster
Rep: Reputation: 15
No, at the time I only have one other computer on my LAN, I'm still using DSL on my primary comp. until this is fixed.

And I'm sorry if I'm a newb but by dns installation do you mean installing a DNS on my gateway?

Thanks very much for your help
 
Old 08-19-2002, 07:53 PM   #4
rohang
Member
 
Registered: Aug 2002
Location: Sydney, Australia
Distribution: Redhat, Open BSD, SuSe, Debian, CentOS
Posts: 177

Rep: Reputation: 30
Yeah, I think what they're getting at is to use BIND and run a cacheing only name server to help minimise the amount of DNS traffic that's going over your link.
 
Old 08-19-2002, 08:08 PM   #5
Tekime
Member
 
Registered: Feb 2002
Location: East Coast USA
Distribution: Slackware
Posts: 53

Original Poster
Rep: Reputation: 15
Do you think running a nameserver will help then?

None of these ARP requests are coming form my LAN. None of this traffic is passing through my internal interface, it is only on my external interface to the cable modem. It looks like most of these requests are coming from my DNS.

I'm also seeing now arp who-has ptd-24-198-*-* tell ptd-24-198-16-1, and 24.198.16.1 has been configured as my gateway for eth1 (external).

It just seems like a huge number of requests coming in from my DNS, and my gateway trying to respond to the requests. I don't understand how starting my own nameserver will help this; but I could be completely wrong.

Please, any and all help will be highly appreciated! I've spent three days trying to figure this out and I have to use it eventually!

Thanks
 
Old 08-19-2002, 08:25 PM   #6
rohang
Member
 
Registered: Aug 2002
Location: Sydney, Australia
Distribution: Redhat, Open BSD, SuSe, Debian, CentOS
Posts: 177

Rep: Reputation: 30
Remember, that ARP requests are different from DNS requests.

If you look at the OSI model, ARP isn't even layer 3, rather it's layer 2.

Cable modem networks are traditionally fully bridged (the cable modem is the bridge) so you'll see some ARP traffic.

It does also depend on how long the leases on the IP address are, that the DHCP server is handing out.
 
Old 08-20-2002, 03:43 AM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Are you running arpwatch on your box?

If so, you will have your eth1 in promiscuous mode, and you will see TONS of traffic.
I have my '/etc/sysconfig/arpwatch' to only look internally.
I added '-i eth0' to the options string.

type 'ifconfig' and see if your cards are in promiscuous mode.

Regards,
Peter
 
Old 08-20-2002, 08:55 AM   #8
Tekime
Member
 
Registered: Feb 2002
Location: East Coast USA
Distribution: Slackware
Posts: 53

Original Poster
Rep: Reputation: 15
I belive they are in promiscuous mode. I remember seeing 'Entering promiscuous mode' and 'Leaving promiscuous mode' in my logs when I ran tcpdump. I'm not familiar with arpwatch and I'm not at my box to check.

I set up my cable modem on a Windows machine last night and installed Ethereal. According to Ethereal I'm seeing just as much ARP traffic as on my Linux box, so I guess it's not me.

At least I know this is probably normal, so I can get my system back up and running. Thanks a ton everyone, any other ideas that can help me understand this better would still be very welcome.
 
Old 09-03-2002, 06:17 AM   #9
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
A short description...

IP numbers are used for routing. Pc's look at the numbers to see where the pc lives, whether on a local cable, or on a distant cable. If it is distant, it sends the packet to a default gateway device, router, which sends it on again.

If it is local, it sends the packet to the MAC address of the pc.
To find the MAC address it can BROADCAST and wait for the card to reply, "yes, Iam xxx.xxx.xxx.xx and my MAC is xx.xx.xx.xx.xx.xx"

You are seeing all the BROADCASTing on your ISP's cable.
You will only see this if your ethernet cards are in promiscuous mode,
so a piece of software is doing this. Maybe arpwatch, maybe Ethereal etc

type 'chkconfig --list' and see if one of those is listed and is ON for your runlevel, 5 for X-Windows, 3 for command line.
You won't need it on for a single pc.

Regards,
Peter
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 01:09 AM
how to find http traffic and mail traffic alone? basbosco Linux - General 1 06-07-2005 11:29 PM
ifconfig traffic != emule traffic bobwall Linux - Networking 0 02-06-2005 10:59 AM
knetload reports constant traffic on eth0 + cable modem Freon Linux - Networking 3 11-30-2004 11:05 PM
Wireless traffic stomps isdn traffic on gateway machine Radix999 Linux - Wireless Networking 0 11-14-2003 01:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration