Excessive network traffic -

Phil Meyer pmeyer at themeyerfarm.com
Thu Nov 29 00:20:24 UTC 2007

Ed Greshko wrote:
> Bob Goodwin wrote:
> ...
>> 14:48:17.244236 arp who-has tell
>> 14:48:19.063647 arp who-has tell
> The above are ARP broadcast packets.  ARP stands for Address Resolution
> Protocol.
> It is a bit strange to see these in your network since ARP broadcast packets
> aren't supposed to survive past the subnet they are transmitted on.  The
> purpose of the ARP request is to get the MAC address of a given IP address.
>  Taking one line of your output above...
> ...
> These packets are coming into your network.  They are 42 bytes long.  You'd
> have to have a whole heck of a lot of these to drive up your network usage.
>  In any case, they are inbound and not associated with any requests from
> your side so it is unlikely that the ISP is counting these as your traffic.

This is a clear indication of packet 'flooding' by your ISP.  If you 
watch a dump long enough you will probably see all kinds of traffic.

What happens is that a 'switch' is supposed to look one level deeper 
into each packet than a bridge does, and determine which interface to 
copy it to.  A bridge simply copies every packet to every interface.

Packet flooding happens when the switch does not have enough memory or 
CPU to examine every packet.  For those packets it cannot examine, it 
drops them on every interface, like a bridge would do.

Bottom line, your ISP has faulty or overloaded switches.  And yes, it 
does impact you.  All switches can flood when necessary, but it should 
be rare, not constant.

Good Luck!

More information about the users mailing list