Wireless Networks Thread, arp flood!~ in Technical; I have a strange problem that google surfing can't solve my problem.
I run etheral and about 95% of the ...
1st September 2008, 05:04 PM #1
- Rep Power
I have a strange problem that google surfing can't solve my problem.
I run etheral and about 95% of the packets are arp requests. I let ethereal run for 10 seconds and i get about 434 arp to 11 udp packets.
my mac address on my network card? is not the same as the mac address on my cmd prompt "arp -a"
the packets are requesting "Who has ..." and "Tell ...."
Can anyoneeeee help me with this. Do i need to replace my network card? firewall? is it internal problem or am i arp poisened/spoofed?
IDG Tech News
1st September 2008, 05:12 PM #2
Whose network are you on? Sounds like you've got a rogue.
1st September 2008, 05:18 PM #3
You could either have a loopback in your network where a cable has been plugged in directly between two ports on an auto negotiating switch or have a busted network card somewhere on your network. You should first try to identify which pc on your network is spewing requests and switch that off then check for any loopbacks in your network.
If there are no loopbacks then it is probably the network card in the offending machine.
Loopbacks can be hard to find as sometimes users can plug one end of a patch lead into one socket and the other end into another socket in the same room. Tracking this down involves checking all of the ports on your network if you don't have managed switches.
The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.
1st September 2008, 05:28 PM #4
Now funnily enough we have just had to turn off STP on the few switches we had it turned on as it was stopping PCs connecting to the network in time for group policies and the like.
Originally Posted by SYNACK
How do you stop that?
1st September 2008, 05:33 PM #5
1st September 2008, 06:04 PM #6
We had Spiceworks running and it caused that symptom - lots of "who has x IP address" etc requests.
2nd September 2008, 04:43 AM #7
- Rep Power
I should have posted in more detail but I only had a towel on (shower). I had ten minutes to type the message, get dressed, then go to work. O.K. here goes.
I'm currently at a home computer with only one computer connected to the network at the moment and a router (Linksys BEFSR41 V.2)
Two days ago I noticed nasty tangled wires and ethernet cords that weren't even in use connected to the router. So I unplug all the ethernet cords, roll up the unused and left enough for my pc - router - cable box. Upon booting up the computer I was getting the hassle that i didn't have internet connection. So I made the direct connection from pc - cable box. Net worked fine. (That's dandy.)
Well, I still wanted to use the router for security purposes so, later I try hooking it back up. It works! yay. One problem... Somehow i still get net through the router but my pc's network card is using the direct isp's IP. It's not giving me a 192.168. I'm getting a real ip address. I can't seem to make my router want to give me a 192.168. and when it does give me an internal ip i don't have internet connection but i can connect to my router.
My mac address on properties in my network card has different mac address then on command prompt when i type 'arp -a'. I'm not sure if that matters.
If you could dumb down how to enable STP or a good tutorial, I'd be appreciative. I just started my first semester in IT for network engineering. Not far enough in it yet
SYNACK:The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.
A rogue? aka botnet? I'm pretty sure the arp request are internal? I have no clue how arp poison/spoof works. maybe i set myself out for bait for not using a router for awhile. If you need more information please ask!
powdarrmonkey Whose network are you on? Sounds like you've got a rogue.
edit: !!! I think it makes since. I messed it up once I started unplugging the router. It's still trying to find the missing device that i detached?? but why couldn't i get net through the router? argghghghhh
Last edited by nokuku4u; 2nd September 2008 at 04:52 AM.
2nd September 2008, 08:04 AM #8
No, a rogue device of some form that's spewing out arp packets. If you're on a very large unsegmented network this can just be normal operation, and is why we segment, which is why I asked where you are.
2nd September 2008, 01:57 PM #9
My router gives me the address from the IP when i put my computer in the DMZ, maybe yours is in their. Might of misunderstood but thats what i think.
6th September 2008, 02:29 PM #10
Don't STP off!!! The reason that your P.C's are taking there time in downloading their policies is because of STP, but you must tell STP that those P.C ports (Access Ports) are indeed access ports, you need to turn on "portfast" (Cisco) "Edge Port" (HP/Netgear)
The arp look like rouges, remember that arps are requests from devices but they can also come from devices annoucing themselves into the network, saying "hello, I am a router. Hello I am a router" gratuitous arps!!!
WS is the only way to track down the arps, but arps are a part and parcel of a network, if you want to reduce them in a network or reduce the scope of their broadcast domain then use vlans
Hope this helps
By sidewinder in forum Wireless Networks
Last Post: 29th March 2010, 04:12 PM
By drewp in forum Wireless Networks
Last Post: 1st February 2008, 10:11 AM
By Ste_Harve in forum Wireless Networks
Last Post: 24th August 2007, 07:39 AM
By mrforgetful in forum Wireless Networks
Last Post: 14th May 2007, 08:17 AM
By CyberNerd in forum Wireless Networks
Last Post: 24th May 2006, 01:10 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)