[TriLUG] RoadRunner issue - arp flood?

Nick Goldwater nick at dogstar1.com
Mon Dec 23 20:55:06 EST 2002


> Not sure what rr.com official help is gonna say since it's not causing
> actual loss of connection yet,

My connection has been lossy for the last couple weeks.

>but over the last few days my cable
> modem's activity light has been *on*.  Today I finally ran its
> ethernet cable directly to my debian box instead of the linksys router
> to tcpdump to see what's up, and it's a flood of arp traffic from
> primarily one machine.  The machine's IP (24.74.136.1) makes me think
> it's a router box for RR, so maybe it's just something they broke
> mistakenly.
>
> Anyone hazard a guess as to what might be broken?  Or how to fix it? :)

I noticed the activity light went ON after the Nimda virus went on it's
rampage... Never went OFF after that... Do not know if it is connected or
just a coincidence.

>
> debian:~# tcpdump -n -c 1000|grep arp|awk '{print $6}'|sort|uniq -c|sort
> -n eth0: Promiscuous mode enabled.
> tcpdump: listening on eth0
>       8 24.136.132.65
>      31 10.41.96.1
>      34 24.136.140.1
>      68 24.162.244.1
>     108 24.136.253.129
>     203 24.25.4.1
>     328 24.74.136.1
> debian:~# bc -lq
> 328+203+108+68+34+31+8
> 780
>
> So 78% of those packets were arp packets, with those 2 (router?)
> machines dominating it.  Ugh.
>
> Help my poor cable modem! :)
>
> James
> --
> James Manning <http://www.sublogic.com/james/>
> GPG Key fingerprint = B913 2FBD 14A9 CE18 B2B7  9C8E A0BF B026 EEBB F6E4
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html






More information about the TriLUG mailing list