Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-15-2005, 06:32 AM   #1
Registered: Jan 2004
Posts: 54

Rep: Reputation: 15
Flooded by ARP packets

System monitor shows upto 50% network activity on 100 Mbps connection. Ethereal shows that 80 - 90% packates are ARP packets and 10% UPD, even when there is no network connection on my standalone machine on lan (Not using NIS, NFS or other network services). What could be reason for this?
Old 04-15-2005, 06:52 AM   #2
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32

If you have several switches ou hubs, then you may experience looping issues : if spanning tree isn't enabled or is misconfigured and if you've some loops in your LAN, then arp broadcast are for ever forwarded from a switch to another, and another till saturation of bandwidth.
Old 04-15-2005, 07:11 AM   #3
Registered: Jan 2004
Posts: 54

Original Poster
Rep: Reputation: 15
I do not have complete topology of our campus lan available, but is it possible to make sure existance of loops using some network tools? All I know is our network switch is connected to fibre optic backend of the campus. However, I have not encountered this problem using machines on other subnets of campus network.
Old 04-15-2005, 07:25 AM   #4
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
In addition to what fr_laz posted - if the arps are from the same source and arp'ing for IP addresses in sequence i.e.

who has, tell
who has, tell
who has, tell

Then there is a good chance you have a virus infected computer on your subnet looking to infect other computers.
Old 04-15-2005, 07:46 AM   #5
Registered: Jan 2004
Posts: 54

Original Poster
Rep: Reputation: 15
Yes, most of the packets are such. I also thought of virus but source and destination packets are not from same machines. As source and destination both are varying, I ruled out that possibility, However, it might be a smart virus or a group of infected machines. Other thing is that all discovery requests are not for valid IP, It appears like random probing. The problem is our subnet is very large (Thousands of machines) divided in sub-sub-nets of hundreds of machines.

Thanks anyway for suggestions.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How can we block arp packets? Linux.tar.gz Linux - Networking 13 09-13-2011 02:18 AM
What are ARP packets? abefroman Linux - Security 2 05-23-2005 12:52 AM
Network Flooded With ARP requests aronnok Linux - Security 3 12-25-2004 04:54 PM
my network is flooded with ARP packets !? qwijibow Linux - Security 16 11-03-2004 10:32 AM
Why am I flooding my network with ARP packets? DocKarl Linux - Networking 0 05-07-2004 06:47 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:50 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration