Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I use a Slackware 8.1/P233 box as a masquereding gateway for my LAN. I recently switched from Verizon DSL to RoadRunner Cable, and I'm seeing a huge amount of traffic going across my external NIC, rotating primarily around my new DNS providers.
I'll include a chunk of what tcpump is showing me below. I'm using IPTABLES/masquereding and dhcpcd. Everything works, albeit some freak blackouts 3-4 days ago; I can get on-line from my masquereded computers, and my FT/web etc. servers are accessible.
I just don't want to be either generating a ton of traffic for RR DNS, or wasting bandwidth and degrading my connection dealing with all this traffic.
Any ideas would be very helpful, until this is resolved I'm not using my cable and I would really like to get it back online.
From tcpdump -i eth1:
00:25:28.612259 arp who-has 10.96.84.76 tell 10.96.80.1
00:25:28.612430 arp who-has 10.96.245.251 tell 10.96.240.1
00:25:28.612726 arp who-has ptd-24-198-16-106.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.613119 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34976+ PTR? 76.84.96.10.in-addr.arpa. (42) (DF) (ttl 64, id 19670, len 70)
00:25:28.614123 arp who-has cmldme-cmt1-2nd-24-31-154-230.maine.rr.com tell cmldme-cmt1-2nd-gw.maine.rr.com
00:25:28.614296 arp who-has 10.96.244.104 tell 10.96.240.1
00:25:28.614479 arp who-has 10.96.86.191 tell 10.96.80.1
00:25:28.614688 arp who-has 10.96.85.114 tell 10.96.80.1
00:25:28.616225 arp who-has 10.96.92.179 tell 10.96.80.1
00:25:28.616710 arp who-has 10.96.85.113 tell 10.96.80.1
00:25:28.616881 arp who-has 10.96.85.97 tell 10.96.80.1
00:25:28.617046 arp who-has 10.96.84.106 tell 10.96.80.1
00:25:28.617720 arp who-has 10.96.85.127 tell 10.96.80.1
00:25:28.640836 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34976 NXDomain* q: PTR? 76.84.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr. (134) (DF) (ttl 252, id 25362, len 162)
00:25:28.641757 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34977+ PTR? 251.245.96.10.in-addr.arpa. (44) (DF) (ttl 64, id 19673, len 72)
00:25:28.666874 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34977 NXDomain* q: PTR? 251.245.96.10.in-addr.arpa. 0/1/0 ns: 10.in-add[|domain] (DF) (ttl 252, id 25363, len 164)
00:25:28.667732 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34978+ PTR? 106.16.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19675, len 72)
00:25:28.677928 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34978* q: PTR? 106.16.198.24.in-addr.arpa. 1/2/2 106.16.19[|domain] (DF) (ttl 252, id 25364, len 228)
00:25:28.678970 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34979+ PTR? 230.154.31.24.in-addr.arpa. (44) (DF) (ttl 64, id 19676, len 72)
00:25:28.689953 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34979* q: PTR? 230.154.31.24.in-addr.arpa. 1/2/2 230.154.3[|domain] (DF) (ttl 252, id 25365, len 240)
00:25:28.690864 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34980+ PTR? 104.244.96.10.in-addr.arpa. (44) (DF) (ttl 64, id 19677, len 72)
00:25:28.715916 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34980 NXDomain* q: PTR? 104.244.96.10.in-addr.arpa. 0/1/0 ns: 10.in-add[|domain] (DF) (ttl 252, id 25366, len 164)
00:25:28.716779 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34981+ PTR? 191.86.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19680, len 71)
00:25:28.741944 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34981 NXDomain* q: PTR? 191.86.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25367, len 163)
00:25:28.742801 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34982+ PTR? 114.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19683, len 71)
00:25:28.758386 arp who-has ptd-24-198-24-59.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.767945 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34982 NXDomain* q: PTR? 114.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25368, len 163)
00:25:28.768801 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34983+ PTR? 179.92.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19685, len 71)
00:25:28.795991 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34983 NXDomain* q: PTR? 179.92.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25369, len 163)
00:25:28.796921 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34984+ PTR? 113.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19688, len 71)
00:25:28.814433 arp who-has ptd-24-198-25-223.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:28.822487 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34984 NXDomain* q: PTR? 113.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25370, len 163)
00:25:28.823346 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34985+ PTR? 97.85.96.10.in-addr.arpa. (42) (DF) (ttl 64, id 19691, len 70)
00:25:28.849031 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34985 NXDomain* q: PTR? 97.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr. (134) (DF) (ttl 252, id 25371, len 162)
00:25:28.849885 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34986+ PTR? 106.84.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19693, len 71)
00:25:28.874057 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34986 NXDomain* q: PTR? 106.84.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25372, len 163)
00:25:28.874911 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34987+ PTR? 127.85.96.10.in-addr.arpa. (43) (DF) (ttl 64, id 19696, len 71)
00:25:28.900577 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34987 NXDomain* q: PTR? 127.85.96.10.in-addr.arpa. 0/1/0 ns: 10.in-addr[|domain] (DF) (ttl 252, id 25373, len 163)
00:25:28.902902 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34988+ PTR? 59.24.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19699, len 71)
00:25:28.912113 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34988 q: PTR? 59.24.198.24.in-addr.arpa. 1/2/2 59.24.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25374, len 200)
00:25:28.913748 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34989+ PTR? 223.25.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19700, len 72)
00:25:28.924134 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34989 q: PTR? 223.25.198.24.in-addr.arpa. 1/2/2 223.25.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25375, len 202)
00:25:29.025111 arp who-has ptd-24-198-26-60.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.025889 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34990+ PTR? 60.26.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19711, len 71)
00:25:29.035731 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34990 q: PTR? 60.26.198.24.in-addr.arpa. 1/2/2 60.26.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25376, len 200)
00:25:29.594614 arp who-has cmldme-cmt1-2nd-24-31-155-203.maine.rr.com tell cmldme-cmt1-2nd-gw.maine.rr.com
00:25:29.595352 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34991+ PTR? 203.155.31.24.in-addr.arpa. (44) (DF) (ttl 64, id 19768, len 72)
00:25:29.605739 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34991 q: PTR? 203.155.31.24.in-addr.arpa. 1/2/2 203.155.31.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25377, len 214)
00:25:29.662151 arp who-has ptd-24-198-22-99.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.662900 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34992+ PTR? 99.22.198.24.in-addr.arpa. (43) (DF) (ttl 64, id 19775, len 71)
00:25:29.670673 arp who-has ptd-24-198-21-222.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.672748 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34992 q: PTR? 99.22.198.24.in-addr.arpa. 1/2/2 99.22.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25378, len 200)
00:25:29.673787 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34993+ PTR? 222.21.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19776, len 72)
00:25:29.682782 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34993 q: PTR? 222.21.198.24.in-addr.arpa. 1/2/2 222.21.198.24.in-addr.arpa.[|domain] (DF) (ttl 252, id 25379, len 202)
00:25:29.725721 arp who-has ptd-24-198-17-190.maine.rr.com tell ptd-24-198-16-1.maine.rr.com
00:25:29.726456 ptd-24-198-22-107.maine.rr.com.blackjack > dns-server.maine.rr.com.domain: [udp sum ok] 34994+ PTR? 190.17.198.24.in-addr.arpa. (44) (DF) (ttl 64, id 19781, len 72)
00:25:29.738352 dns-server.maine.rr.com.domain > ptd-24-198-22-107.maine.rr.com.blackjack: 34994* q: PTR? 190.17.198.24.in-addr.arpa. 1/2/2 190.17.19[|domain] (DF) (ttl 252, id 25380, len 228)
00:25:29.880859 arp who-has dt066n21.maine.rr.com tell tas6-qe6.maine.rr.com
00
And it goes on..... you can see how many times a second I'm seeing a request.
Distribution: Redhat, Open BSD, SuSe, Debian, CentOS
Posts: 177
Rep:
Yeah, I think what they're getting at is to use BIND and run a cacheing only name server to help minimise the amount of DNS traffic that's going over your link.
None of these ARP requests are coming form my LAN. None of this traffic is passing through my internal interface, it is only on my external interface to the cable modem. It looks like most of these requests are coming from my DNS.
I'm also seeing now arp who-has ptd-24-198-*-* tell ptd-24-198-16-1, and 24.198.16.1 has been configured as my gateway for eth1 (external).
It just seems like a huge number of requests coming in from my DNS, and my gateway trying to respond to the requests. I don't understand how starting my own nameserver will help this; but I could be completely wrong.
Please, any and all help will be highly appreciated! I've spent three days trying to figure this out and I have to use it eventually!
If so, you will have your eth1 in promiscuous mode, and you will see TONS of traffic.
I have my '/etc/sysconfig/arpwatch' to only look internally.
I added '-i eth0' to the options string.
type 'ifconfig' and see if your cards are in promiscuous mode.
I belive they are in promiscuous mode. I remember seeing 'Entering promiscuous mode' and 'Leaving promiscuous mode' in my logs when I ran tcpdump. I'm not familiar with arpwatch and I'm not at my box to check.
I set up my cable modem on a Windows machine last night and installed Ethereal. According to Ethereal I'm seeing just as much ARP traffic as on my Linux box, so I guess it's not me.
At least I know this is probably normal, so I can get my system back up and running. Thanks a ton everyone, any other ideas that can help me understand this better would still be very welcome.
IP numbers are used for routing. Pc's look at the numbers to see where the pc lives, whether on a local cable, or on a distant cable. If it is distant, it sends the packet to a default gateway device, router, which sends it on again.
If it is local, it sends the packet to the MAC address of the pc.
To find the MAC address it can BROADCAST and wait for the card to reply, "yes, Iam xxx.xxx.xxx.xx and my MAC is xx.xx.xx.xx.xx.xx"
You are seeing all the BROADCASTing on your ISP's cable.
You will only see this if your ethernet cards are in promiscuous mode,
so a piece of software is doing this. Maybe arpwatch, maybe Ethereal etc
type 'chkconfig --list' and see if one of those is listed and is ON for your runlevel, 5 for X-Windows, 3 for command line.
You won't need it on for a single pc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I've spent three days trying to figure this out and I have to use it eventually!
