Re: Excessive network traffic -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bob Goodwin wrote:

> Looking at port 53 produced nothing in half an hour with only tcpdump
> running so I assume wireshark or iptraf was causing the dns messages. 

For wireshark you should go to "preferences", "Name resolution" and uncheck
"enable network name resolution".

> However I can see a lot of data if I don't limit it to a particular
> port.  Interpreting the data is another matter.
> 
> Apparently eth1 is a slow NIC but that's ok for what I'm doing ...  It
> seems to me I should be able to stir up some activity with another
> computer, this one [box6], and see something happen in the tcpdump data
> stream [on box10].  How can I identify data for my system?  Presumably
> most of what I am seeing is data directed at other subscribers.
> So I've got all this data and don't know how to deal with it.  Any help
> appreciated.
> 
> 
> tcpdump -r /tmp/trace
> 
> reading from file /tmp/trace, link-type EN10MB (Ethernet)
> 14:48:00.580934 arp who-has 75.105.105.75 tell 75.105.105.1
> 14:48:00.581241 arp who-has 75.105.105.75 tell 75.105.105.1
> 14:48:05.034887 arp who-has 70.41.113.158 tell 70.41.112.1
> 14:48:05.035318 arp who-has 70.41.113.158 tell 70.41.112.1
> 14:48:06.038873 arp who-has 70.41.150.136 tell 70.41.148.1
> 14:48:06.039296 arp who-has 70.41.150.136 tell 70.41.148.1
> 14:48:08.399597 arp who-has 72.173.246.50 tell 72.173.244.1
> 14:48:08.400263 arp who-has 72.173.246.50 tell 72.173.244.1
> 14:48:09.448529 arp who-has 72.173.22.133 tell 72.173.20.1
> 14:48:09.449413 arp who-has 72.173.22.133 tell 72.173.20.1
> 14:48:10.668593 arp who-has 70.41.115.191 tell 70.41.112.1
> 14:48:10.669371 arp who-has 70.41.115.191 tell 70.41.112.1
> 14:48:13.233549 arp who-has 72.173.245.14 tell 72.173.244.1
> 14:48:13.234232 arp who-has 72.173.245.14 tell 72.173.244.1
> 14:48:15.694350 arp who-has 70.41.114.251 tell 70.41.112.1
> 14:48:15.694784 arp who-has 70.41.114.251 tell 70.41.112.1
> 14:48:17.243791 arp who-has 70.41.114.44 tell 70.41.112.1
> 14:48:17.244236 arp who-has 70.41.114.44 tell 70.41.112.1
> 14:48:19.063647 arp who-has 10.9.226.129 tell 70.41.148.1

The above are ARP broadcast packets.  ARP stands for Address Resolution
Protocol.

It is a bit strange to see these in your network since ARP broadcast packets
aren't supposed to survive past the subnet they are transmitted on.  The
purpose of the ARP request is to get the MAC address of a given IP address.
 Taking one line of your output above...

14:48:10.668593 arp who-has 70.41.115.191 tell 70.41.112.1

The source of the ARP message is 70.41.112.1.  It is sending out a broadcast
message asking "Who ever has IP address of 70.41.115.191, please respond
with your MAC address".

You aren't seeing the response...but if you had you'd see something like:

07:27:51.893480 arp reply 70.41.115.191 is-at 00:30:6e:c7:63:8f

These packets are coming into your network.  They are 42 bytes long.  You'd
have to have a whole heck of a lot of these to drive up your network usage.
 In any case, they are inbound and not associated with any requests from
your side so it is unlikely that the ISP is counting these as your traffic.




-- 
Tell a man there are 300 billion stars in the universe and he'll believe you.
Tell him a bench has wet paint on it and he'll have to touch to be sure.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux