Re: ARP chatter
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/30/04
- Next message: Eirik Seim: "Re: Port 3060? What in the hell is going on?"
- Previous message: dak: "Re: Port 3060? What in the hell is going on?"
- Next in thread: Island Techie: "Re: ARP chatter"
- Reply: Island Techie: "Re: ARP chatter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 15:58:38 -0600
In article <Y8Qqd.369186$Pl.364631@pd7tw1no>, Island Techie wrote:
>After doing some research and communicating with my ISP tech support I
>understand it is normal but how much is normal, and why have I never
>noticed this steady traffic before?
Have you looked before? ;-)
RFC826 describes ARP. Briefly, ARP is used to translate between the IP
addresses used by computers with the hardware level protocols used on
the cable media. When a system wishes to talk to another, it first sends
an ARP request - a broadcast asking what's the hardware address of IP
12.34.56.78 or whatever. That hosts responds and says "I'm here". Both
systems then remember the hardware addresses for some time - RFC1122
section 2.3.2 suggests a timeout of _about_ one minute.
What you are _PROBABLY_ seeing is the result of windoze worms trying to
spread. Many worms try to spread to every host address. To do so, they
want to know the hardware address associated with each IP. If the host
that is trying to spread the infection is local (on your wire), you'll
see it sending the ARP requests. If the hosts is remote, then it will
be your gateway router doing the asking. How much of this traffic is
generated is dependent on how large the local network is (you can
determine this by looking at the network configuration data on the
cable modem, or by just looking at the range of addresses you see). A
typical range might be 128, 256 (quite common), 512, 1024 or rarely 2048.
>The traffic is a lowly 1.4KB but seems to have increased over the last few
>months. Any information would be helpful.
Each packet is only 28 bytes (42 if you include the Ethernet header) plus
any padding needed to bring it up to the minimum required at the wire level
(on Ethernet, this would add 18 bytes for a total of 60 bytes), so even if
you assume seeing only data (28 bytes), 1.4 KB/Sec is 50 ARP packets (most
cable modems only let you see all broadcasts and only those unicasts directed
at you, so you are unlikely to see the 50 ARP _requests_ AND 50 _replies_ if
the queried host is up), which really isn't anything important. Assuming
a continuous chatter, 50 per second times 60 seconds that an ARP should
"last" says about 300 hosts on the wire. In the rare 'worst case' of 2048
hosts on a local segment (ex. 12.34.0.0 to 12.34.7.255), the traffic should
_average_ no more than 9.5 KB/Sec. Doubling this for the unseen replies is
still a drop in the bucket.
Old guy
- Next message: Eirik Seim: "Re: Port 3060? What in the hell is going on?"
- Previous message: dak: "Re: Port 3060? What in the hell is going on?"
- Next in thread: Island Techie: "Re: ARP chatter"
- Reply: Island Techie: "Re: ARP chatter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
