Re: ARP chatter
From: Island Techie (island_techie_at_yahoo.ca)
Date: 12/01/04
- Next message: Island Techie: "Re: Port 3060? What in the hell is going on?"
- Previous message: SteviE: "Re: too many firewalls?"
- In reply to: Moe Trin: "Re: ARP chatter"
- Next in thread: Bit Twister: "Re: ARP chatter"
- Reply: Bit Twister: "Re: ARP chatter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Nov 2004 23:47:57 GMT
Moe Trin thank you for the response.
"Moe Trin" <ibuprofin@painkiller.example.tld> wrote in message
news:slrncqpr8b.9o4.ibuprofin@compton.phx.az.us...
> In article <Y8Qqd.369186$Pl.364631@pd7tw1no>, Island Techie wrote:
>
>>After doing some research and communicating with my ISP tech support I
>>understand it is normal but how much is normal, and why have I never
>>noticed this steady traffic before?
>
> Have you looked before? ;-)
>
I always keep an eye on my cable modem, and rarely have I seen this type of
constant activity unless I'm download or uploading something.
> RFC826 describes ARP. Briefly, ARP is used to translate between the IP
> addresses used by computers with the hardware level protocols used on
> the cable media. When a system wishes to talk to another, it first sends
> an ARP request - a broadcast asking what's the hardware address of IP
> 12.34.56.78 or whatever. That hosts responds and says "I'm here". Both
> systems then remember the hardware addresses for some time - RFC1122
> section 2.3.2 suggests a timeout of _about_ one minute.
>
> What you are _PROBABLY_ seeing is the result of windoze worms trying to
> spread. Many worms try to spread to every host address. To do so, they
> want to know the hardware address associated with each IP. If the host
> that is trying to spread the infection is local (on your wire), you'll
> see it sending the ARP requests. If the hosts is remote, then it will
> be your gateway router doing the asking. How much of this traffic is
> generated is dependent on how large the local network is (you can
> determine this by looking at the network configuration data on the
> cable modem, or by just looking at the range of addresses you see). A
> typical range might be 128, 256 (quite common), 512, 1024 or rarely 2048.
>
Not sure how large the netowrk is, but I'll check it out when I get home.
The traffic is all incomming I think from the gateway router. 24.*.*.1
>>The traffic is a lowly 1.4KB but seems to have increased over the last few
>>months. Any information would be helpful.
>
> Each packet is only 28 bytes (42 if you include the Ethernet header) plus
> any padding needed to bring it up to the minimum required at the wire
> level
> (on Ethernet, this would add 18 bytes for a total of 60 bytes), so even if
> you assume seeing only data (28 bytes), 1.4 KB/Sec is 50 ARP packets (most
> cable modems only let you see all broadcasts and only those unicasts
> directed
> at you, so you are unlikely to see the 50 ARP _requests_ AND 50 _replies_
> if
> the queried host is up), which really isn't anything important. Assuming
> a continuous chatter, 50 per second times 60 seconds that an ARP should
> "last" says about 300 hosts on the wire. In the rare 'worst case' of 2048
> hosts on a local segment (ex. 12.34.0.0 to 12.34.7.255), the traffic
> should
> _average_ no more than 9.5 KB/Sec. Doubling this for the unseen replies is
> still a drop in the bucket.
>
> Old guy
>
Thanks for your input.
- Next message: Island Techie: "Re: Port 3060? What in the hell is going on?"
- Previous message: SteviE: "Re: too many firewalls?"
- In reply to: Moe Trin: "Re: ARP chatter"
- Next in thread: Bit Twister: "Re: ARP chatter"
- Reply: Bit Twister: "Re: ARP chatter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
