+ Post New Thread
Results 1 to 10 of 10
Wireless Networks Thread, arp flood!~ in Technical; I have a strange problem that google surfing can't solve my problem. I run etheral and about 95% of the ...
  1. #1

    Join Date
    Sep 2008
    Location
    Wv
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Exclamation arp flood!~

    I have a strange problem that google surfing can't solve my problem.

    I run etheral and about 95% of the packets are arp requests. I let ethereal run for 10 seconds and i get about 434 arp to 11 udp packets.

    my mac address on my network card? is not the same as the mac address on my cmd prompt "arp -a"

    the packets are requesting "Who has ..." and "Tell ...."

    Can anyoneeeee help me with this. Do i need to replace my network card? firewall? is it internal problem or am i arp poisened/spoofed?

    thankkks!

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    Whose network are you on? Sounds like you've got a rogue.

  3. #3

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,239
    Thank Post
    882
    Thanked 2,742 Times in 2,316 Posts
    Blog Entries
    11
    Rep Power
    784
    You could either have a loopback in your network where a cable has been plugged in directly between two ports on an auto negotiating switch or have a busted network card somewhere on your network. You should first try to identify which pc on your network is spewing requests and switch that off then check for any loopbacks in your network.

    If there are no loopbacks then it is probably the network card in the offending machine.

    Loopbacks can be hard to find as sometimes users can plug one end of a patch lead into one socket and the other end into another socket in the same room. Tracking this down involves checking all of the ports on your network if you don't have managed switches.

    The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.

  4. #4

    TechMonkey's Avatar
    Join Date
    Dec 2005
    Location
    South East
    Posts
    3,303
    Thank Post
    226
    Thanked 412 Times in 305 Posts
    Rep Power
    163
    Quote Originally Posted by SYNACK View Post
    The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.
    Now funnily enough we have just had to turn off STP on the few switches we had it turned on as it was stopping PCs connecting to the network in time for group policies and the like.

    How do you stop that?

  5. #5


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,677
    Thank Post
    279
    Thanked 782 Times in 609 Posts
    Rep Power
    224
    Quote Originally Posted by TechMonkey View Post
    Now funnily enough we have just had to turn off STP on the few switches we had it turned on as it was stopping PCs connecting to the network in time for group policies and the like.

    How do you stop that?
    On Cisco gear, you enable portfast on ports where client devices are connected - there should be a similar option on other hardware.

    Understanding and Troubleshooting DHCP in Catalyst Switch or Enterprise Networks - Cisco Systems

    Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays - Cisco Systems

  6. #6

    Join Date
    Nov 2006
    Location
    Kendal
    Posts
    1,555
    Thank Post
    112
    Thanked 177 Times in 144 Posts
    Rep Power
    72
    We had Spiceworks running and it caused that symptom - lots of "who has x IP address" etc requests.

  7. #7

    Join Date
    Sep 2008
    Location
    Wv
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I should have posted in more detail but I only had a towel on (shower). I had ten minutes to type the message, get dressed, then go to work. O.K. here goes.

    I'm currently at a home computer with only one computer connected to the network at the moment and a router (Linksys BEFSR41 V.2)

    Two days ago I noticed nasty tangled wires and ethernet cords that weren't even in use connected to the router. So I unplug all the ethernet cords, roll up the unused and left enough for my pc - router - cable box. Upon booting up the computer I was getting the hassle that i didn't have internet connection. So I made the direct connection from pc - cable box. Net worked fine. (That's dandy.)

    Well, I still wanted to use the router for security purposes so, later I try hooking it back up. It works! yay. One problem... Somehow i still get net through the router but my pc's network card is using the direct isp's IP. It's not giving me a 192.168. I'm getting a real ip address. I can't seem to make my router want to give me a 192.168. and when it does give me an internal ip i don't have internet connection but i can connect to my router.

    My mac address on properties in my network card has different mac address then on command prompt when i type 'arp -a'. I'm not sure if that matters.


    SYNACK:The best prevention for loopbacks is to enable STP on the switches if they support it which prevent such loops from forming.
    If you could dumb down how to enable STP or a good tutorial, I'd be appreciative. I just started my first semester in IT for network engineering. Not far enough in it yet


    powdarrmonkey Whose network are you on? Sounds like you've got a rogue.
    A rogue? aka botnet? I'm pretty sure the arp request are internal? I have no clue how arp poison/spoof works. maybe i set myself out for bait for not using a router for awhile. If you need more information please ask!



    edit: !!! I think it makes since. I messed it up once I started unplugging the router. It's still trying to find the missing device that i detached?? but why couldn't i get net through the router? argghghghhh
    Last edited by nokuku4u; 2nd September 2008 at 03:52 AM.

  8. #8

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,866
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    No, a rogue device of some form that's spewing out arp packets. If you're on a very large unsegmented network this can just be normal operation, and is why we segment, which is why I asked where you are.

  9. #9

    Join Date
    Jan 2007
    Location
    Durham, UK
    Posts
    328
    Thank Post
    33
    Thanked 17 Times in 12 Posts
    Rep Power
    20
    My router gives me the address from the IP when i put my computer in the DMZ, maybe yours is in their. Might of misunderstood but thats what i think.

  10. #10
    MSGeek's Avatar
    Join Date
    Jul 2008
    Location
    Manchester
    Posts
    12
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Don't STP off!!! The reason that your P.C's are taking there time in downloading their policies is because of STP, but you must tell STP that those P.C ports (Access Ports) are indeed access ports, you need to turn on "portfast" (Cisco) "Edge Port" (HP/Netgear)

    The arp look like rouges, remember that arps are requests from devices but they can also come from devices annoucing themselves into the network, saying "hello, I am a router. Hello I am a router" gratuitous arps!!!

    WS is the only way to track down the arps, but arps are a part and parcel of a network, if you want to reduce them in a network or reduce the scope of their broadcast domain then use vlans

    Hope this helps

SHARE:
+ Post New Thread

Similar Threads

  1. Flood of IGMP Traffic
    By sidewinder in forum Wireless Networks
    Replies: 13
    Last Post: 29th March 2010, 03:12 PM
  2. High ARP traffic?
    By drewp in forum Wireless Networks
    Replies: 10
    Last Post: 1st February 2008, 09:11 AM
  3. PXE-E11 ARP Timeout Error
    By Ste_Harve in forum Wireless Networks
    Replies: 1
    Last Post: 24th August 2007, 06:39 AM
  4. ARP Timeout
    By mrforgetful in forum Wireless Networks
    Replies: 6
    Last Post: 14th May 2007, 07:17 AM
  5. ARP overwritten DOS
    By CyberNerd in forum Wireless Networks
    Replies: 1
    Last Post: 24th May 2006, 12:10 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •