Announcement

Collapse
No announcement yet.

Networking Question

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Networking Question

    My cable modem has been getting blasted with traffic as of late, so I ran Ethereal to try and determine what was a happening. I captured 2500 packets in 15 seconds, the vast majority (99.5%) is ARP traffic coming from 3 maybe 4 IP addresses. I also took a look at my router logs and it's getting hammered with ICMP traffic. To me, it looks like echo requests (type =8) and my router as designed is dropping them.

    So I have a host of questions that I can't answer....

    What would be causing the 3 or 4 addresses to be blasting the ARP traffic and how can I get it (them) to stop? I've tried calling the ISP engineers but they were of little to no help (and no DSL isn't an option right now)

    Is there any correlation between the ICMP traffic and the ARP traffic? Why wouldn't Ethereal capture the ICMP traffic as well, or is it the same traffic but my capturing devices (router and Ethereal) are working at different layers, the network layer and the data link layer respectively.

  • #2
    Are those addresses on your subnet? I had a similar problem and it was a chatty NIC, can't swear ARP would be generated however.

    Comment


    • #3
      There are a number of things that can cause ARP chatter, most notably ARP cache poisoning (through the use of a tool like ettercap). If possible could you post Ethereal's log of the ARP traffic so we can get a better idea of what's going on?
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
      [ redacted ]

      Comment


      • #4
        Originally posted by bascule
        There are a number of things that can cause ARP chatter, most notably ARP cache poisoning (through the use of a tool like ettercap). If possible could you post Ethereal's log of the ARP traffic so we can get a better idea of what's going on?
        Have you specifically identified the offending IP Address? ie: Whois

        Comment


        • #5
          Ethereal Log

          Looks like the same subnet for the biggest offender which also happens to be my default gateway as seen from my router copied below:

          Default Gateway
          24.163.144.1

          Attaced below is some traffic I captured this morning in a zip file.

          I'm not familiar with mechanics of ARP cache poisoning but will certainly do some googling and see what I find.

          edit: I had to add the extention .zip to the file to open it and then use Ethereal to view the log contents. If anyone has a better way to extract this file please let me know. thanks.
          Attached Files
          Last edited by TRUNX883; December 24, 2003, 12:53.

          Comment

          Working...
          X