arp flood!~ I have a strange problem that google surfing can't solve my problem.
I run etheral and about 95% of the packets are arp requests. I let ethereal run for 10 seconds and i get about 434 arp to 11 udp packets.
my mac address on my network card? is not the same as the mac address on my cmd prompt "arp -a"
the packets are requesting "Who has ..." and "Tell ...."
Can anyoneeeee help me with this. Do i need to replace my network card? firewall? is it internal problem or am i arp poisened/spoofed?
thankkks!
Whose network are you on? Sounds like you've got a rogue.
You could either have a loopback in your network where a cable has been plugged in directly between two ports on an auto negotiating switch or have a busted network card somewhere on your network. You should first try to identify which pc on your network is spewing requests and switch that off then check for any loopbacks in your network.
If there are no loopbacks then it is probably the network card in the offending machine.
Loopbacks can be hard to find as sometimes users can plug one end of a patch lead into one socket and the other end into another socket in the same room. Tracking this down involves checking all of the ports on your network if you don't have managed switches.
The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.
Now funnily enough we have just had to turn off STP on the few switches we had it turned on as it was stopping PCs connecting to the network in time for group policies and the like.Originally Posted by SYNACK
How do you stop that?
On Cisco gear, you enable portfast on ports where client devices are connected - there should be a similar option on other hardware.
Understanding and Troubleshooting DHCP in Catalyst Switch or Enterprise Networks - Cisco Systems
Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays - Cisco Systems
We had Spiceworks running and it caused that symptom - lots of "who has x IP address" etc requests.
I should have posted in more detail but I only had a towel on (shower). I had ten minutes to type the message, get dressed, then go to work. O.K. here goes.
I'm currently at a home computer with only one computer connected to the network at the moment and a router (Linksys BEFSR41 V.2)
Two days ago I noticed nasty tangled wires and ethernet cords that weren't even in use connected to the router. So I unplug all the ethernet cords, roll up the unused and left enough for my pc - router - cable box. Upon booting up the computer I was getting the hassle that i didn't have internet connection. So I made the direct connection from pc - cable box. Net worked fine. (That's dandy.)
Well, I still wanted to use the router for security purposes so, later I try hooking it back up. It works! yay. One problem... Somehow i still get net through the router but my pc's network card is using the direct isp's IP. It's not giving me a 192.168. I'm getting a real ip address. I can't seem to make my router want to give me a 192.168. and when it does give me an internal ip i don't have internet connection but i can connect to my router.
My mac address on properties in my network card has different mac address then on command prompt when i type 'arp -a'. I'm not sure if that matters.
If you could dumb down how to enable STP or a good tutorial, I'd be appreciative. I just started my first semester in IT for network engineering. Not far enough in it yetSYNACK:The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.
A rogue? aka botnet? I'm pretty sure the arp request are internal? I have no clue how arp poison/spoof works. maybe i set myself out for bait for not using a router for awhile. If you need more information please ask!powdarrmonkey Whose network are you on? Sounds like you've got a rogue.
edit: !!! I think it makes since. I messed it up once I started unplugging the router. It's still trying to find the missing device that i detached?? but why couldn't i get net through the router? argghghghhh
Last edited by nokuku4u; 2nd September 2008 at 03:52 AM.
No, a rogue device of some form that's spewing out arp packets. If you're on a very large unsegmented network this can just be normal operation, and is why we segment, which is why I asked where you are.
My router gives me the address from the IP when i put my computer in the DMZ, maybe yours is in their. Might of misunderstood but thats what i think.
Don't STP off!!! The reason that your P.C's are taking there time in downloading their policies is because of STP, but you must tell STP that those P.C ports (Access Ports) are indeed access ports, you need to turn on "portfast" (Cisco) "Edge Port" (HP/Netgear)
The arp look like rouges, remember that arps are requests from devices but they can also come from devices annoucing themselves into the network, saying "hello, I am a router. Hello I am a router" gratuitous arps!!!
WS is the only way to track down the arps, but arps are a part and parcel of a network, if you want to reduce them in a network or reduce the scope of their broadcast domain then use vlans
Hope this helps
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote