Excessive network traffic -
pmeyer at themeyerfarm.com
Thu Nov 29 00:20:24 UTC 2007
Ed Greshko wrote:
> Bob Goodwin wrote:
>> 14:48:17.244236 arp who-has 18.104.22.168 tell 22.214.171.124
>> 14:48:19.063647 arp who-has 10.9.226.129 tell 126.96.36.199
> The above are ARP broadcast packets. ARP stands for Address Resolution
> It is a bit strange to see these in your network since ARP broadcast packets
> aren't supposed to survive past the subnet they are transmitted on. The
> purpose of the ARP request is to get the MAC address of a given IP address.
> Taking one line of your output above...
> These packets are coming into your network. They are 42 bytes long. You'd
> have to have a whole heck of a lot of these to drive up your network usage.
> In any case, they are inbound and not associated with any requests from
> your side so it is unlikely that the ISP is counting these as your traffic.
This is a clear indication of packet 'flooding' by your ISP. If you
watch a dump long enough you will probably see all kinds of traffic.
What happens is that a 'switch' is supposed to look one level deeper
into each packet than a bridge does, and determine which interface to
copy it to. A bridge simply copies every packet to every interface.
Packet flooding happens when the switch does not have enough memory or
CPU to examine every packet. For those packets it cannot examine, it
drops them on every interface, like a bridge would do.
Bottom line, your ISP has faulty or overloaded switches. And yes, it
does impact you. All switches can flood when necessary, but it should
be rare, not constant.
More information about the users