Excessive network traffic -

John Summerfield debian at herakles.homelinux.org
Wed Nov 28 23:58:43 UTC 2007 

Bob Goodwin wrote:
> John Summerfield wrote:
>>
>> tcpdump -i eth1 -w /tmp/trace -s 9999 port 53
>>
>> After a while,
>> ^C
>> then
>> tcpdump -r /tmp/trace <and whatever the man page suggests and you find 
>> attactive> | less
>>
>>
> 
> Looking at port 53 produced nothing in half an hour with only tcpdump 
> running so I assume wireshark or iptraf was causing the dns messages.  
> However I can see a lot of data if I don't limit it to a particular 
> port.  Interpreting the data is another matter.
> 
> Apparently eth1 is a slow NIC but that's ok for what I'm doing ...  It 
> seems to me I should be able to stir up some activity with another 
> computer, this one [box6], and see something happen in the tcpdump data 
> stream [on box10].  How can I identify data for my system?  Presumably 
> most of what I am seeing is data directed at other subscribers.
> So I've got all this data and don't know how to deal with it.  Any help 
> appreciated.
> 
> 
> tcpdump -r /tmp/trace
> 
> reading from file /tmp/trace, link-type EN10MB (Ethernet)
> 14:48:00.580934 arp who-has 75.105.105.75 tell 75.105.105.1
> 14:48:00.581241 arp who-has 75.105.105.75 tell 75.105.105.1
> 14:48:05.034887 arp who-has 70.41.113.158 tell 70.41.112.1
> 14:48:05.035318 arp who-has 70.41.113.158 tell 70.41.112.1
> 14:48:06.038873 arp who-has 70.41.150.136 tell 70.41.148.1
> 14:48:06.039296 arp who-has 70.41.150.136 tell 70.41.148.1
> 14:48:08.399597 arp who-has 72.173.246.50 tell 72.173.244.1
> 14:48:08.400263 arp who-has 72.173.246.50 tell 72.173.244.1
> 14:48:09.448529 arp who-has 72.173.22.133 tell 72.173.20.1
> 14:48:09.449413 arp who-has 72.173.22.133 tell 72.173.20.1
> 14:48:10.668593 arp who-has 70.41.115.191 tell 70.41.112.1
> 14:48:10.669371 arp who-has 70.41.115.191 tell 70.41.112.1
> 14:48:13.233549 arp who-has 72.173.245.14 tell 72.173.244.1
> 14:48:13.234232 arp who-has 72.173.245.14 tell 72.173.244.1
> 14:48:15.694350 arp who-has 70.41.114.251 tell 70.41.112.1
> 14:48:15.694784 arp who-has 70.41.114.251 tell 70.41.112.1
> 14:48:17.243791 arp who-has 70.41.114.44 tell 70.41.112.1
> 14:48:17.244236 arp who-has 70.41.114.44 tell 70.41.112.1
> 14:48:19.063647 arp who-has 10.9.226.129 tell 70.41.148.1


IP packets on ethernet are wrapped in ethernet packets. Think of putting 
an IP-addressed packet inside an envelope and writing an ethernet 
address on the outside.

To find the address, the IP stack sends out an ethernet broadcast 
asking who has the address, tell me. That's what you're seeing there.

There should be packets in response. Here's an example from when I 
pinged Linux from Windows:
08:47 [summer at numbat ~]$ sudo tcpdump -i eth0 -nr /tmp/trace
reading from file /tmp/trace, link-type EN10MB (Ethernet)
08:46:14.800714 arp who-has 192.168.9.4 tell 192.168.9.134
08:46:14.803282 arp who-has 192.168.9.131 tell 192.168.9.134
08:46:14.803311 arp reply 192.168.9.131 is-at 00:0d:60:f0:ac:5c
08:46:14.803493 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 
512, seq 13824, length 40
08:46:14.803541 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 
512, seq 13824, length 40
08:46:15.796336 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 
512, seq 14080, length 40
08:46:15.796383 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 
512, seq 14080, length 40
08:46:16.796447 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 
512, seq 14336, length 40
08:46:16.796534 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 
512, seq 14336, length 40
08:46:17.796323 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 
512, seq 14592, length 40
08:46:17.796374 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 
512, seq 14592, length 40
08:46:19.803915 arp who-has 192.168.9.134 tell 192.168.9.131
08:46:19.804150 arp reply 192.168.9.134 is-at 00:18:71:84:a5:da
08:46:22.843325 IP 192.168.9.134.netbios-dgm > 
192.168.9.255.netbios-dgm: NBT UDP PACKET(138)
08:47 [summer at numbat ~]$

Once the IP stack has the address, it can address the envelope and pop 
it in the mail.

It remembers the association for a time so it doesn't have to repeat the 
lookup too often.

In your case, you're not getting the arp replies. This would be 
consistent with your network cable connecting your NIC to a switch which 
is turned on, but nothing else is plugged into the switch, _if_ the only 
"tell" IP address you saw is yours.

It's also consistent with your seeing the ethernet broadcasts but not 
the replies. That's what you should expect.

I would not be concerned about that traffic.



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the users mailing list