Re: Excessive network traffic -

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bob Goodwin wrote:
John Summerfield wrote:

tcpdump -i eth1 -w /tmp/trace -s 9999 port 53

After a while,
^C
then
tcpdump -r /tmp/trace <and whatever the man page suggests and you find attactive> | less



Looking at port 53 produced nothing in half an hour with only tcpdump running so I assume wireshark or iptraf was causing the dns messages. However I can see a lot of data if I don't limit it to a particular port. Interpreting the data is another matter.

Apparently eth1 is a slow NIC but that's ok for what I'm doing ... It seems to me I should be able to stir up some activity with another computer, this one [box6], and see something happen in the tcpdump data stream [on box10]. How can I identify data for my system? Presumably most of what I am seeing is data directed at other subscribers. So I've got all this data and don't know how to deal with it. Any help appreciated.


tcpdump -r /tmp/trace

reading from file /tmp/trace, link-type EN10MB (Ethernet)
14:48:00.580934 arp who-has 75.105.105.75 tell 75.105.105.1
14:48:00.581241 arp who-has 75.105.105.75 tell 75.105.105.1
14:48:05.034887 arp who-has 70.41.113.158 tell 70.41.112.1
14:48:05.035318 arp who-has 70.41.113.158 tell 70.41.112.1
14:48:06.038873 arp who-has 70.41.150.136 tell 70.41.148.1
14:48:06.039296 arp who-has 70.41.150.136 tell 70.41.148.1
14:48:08.399597 arp who-has 72.173.246.50 tell 72.173.244.1
14:48:08.400263 arp who-has 72.173.246.50 tell 72.173.244.1
14:48:09.448529 arp who-has 72.173.22.133 tell 72.173.20.1
14:48:09.449413 arp who-has 72.173.22.133 tell 72.173.20.1
14:48:10.668593 arp who-has 70.41.115.191 tell 70.41.112.1
14:48:10.669371 arp who-has 70.41.115.191 tell 70.41.112.1
14:48:13.233549 arp who-has 72.173.245.14 tell 72.173.244.1
14:48:13.234232 arp who-has 72.173.245.14 tell 72.173.244.1
14:48:15.694350 arp who-has 70.41.114.251 tell 70.41.112.1
14:48:15.694784 arp who-has 70.41.114.251 tell 70.41.112.1
14:48:17.243791 arp who-has 70.41.114.44 tell 70.41.112.1
14:48:17.244236 arp who-has 70.41.114.44 tell 70.41.112.1
14:48:19.063647 arp who-has 10.9.226.129 tell 70.41.148.1


IP packets on ethernet are wrapped in ethernet packets. Think of putting an IP-addressed packet inside an envelope and writing an ethernet address on the outside.

To find the address, the IP stack sends out an ethernet broadcast asking who has the address, tell me. That's what you're seeing there.

There should be packets in response. Here's an example from when I pinged Linux from Windows:
08:47 [summer@numbat ~]$ sudo tcpdump -i eth0 -nr /tmp/trace
reading from file /tmp/trace, link-type EN10MB (Ethernet)
08:46:14.800714 arp who-has 192.168.9.4 tell 192.168.9.134
08:46:14.803282 arp who-has 192.168.9.131 tell 192.168.9.134
08:46:14.803311 arp reply 192.168.9.131 is-at 00:0d:60:f0:ac:5c
08:46:14.803493 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 512, seq 13824, length 40 08:46:14.803541 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 512, seq 13824, length 40 08:46:15.796336 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 512, seq 14080, length 40 08:46:15.796383 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 512, seq 14080, length 40 08:46:16.796447 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 512, seq 14336, length 40 08:46:16.796534 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 512, seq 14336, length 40 08:46:17.796323 IP 192.168.9.134 > 192.168.9.131: ICMP echo request, id 512, seq 14592, length 40 08:46:17.796374 IP 192.168.9.131 > 192.168.9.134: ICMP echo reply, id 512, seq 14592, length 40
08:46:19.803915 arp who-has 192.168.9.134 tell 192.168.9.131
08:46:19.804150 arp reply 192.168.9.134 is-at 00:18:71:84:a5:da
08:46:22.843325 IP 192.168.9.134.netbios-dgm > 192.168.9.255.netbios-dgm: NBT UDP PACKET(138)
08:47 [summer@numbat ~]$

Once the IP stack has the address, it can address the envelope and pop it in the mail.

It remembers the association for a time so it doesn't have to repeat the lookup too often.

In your case, you're not getting the arp replies. This would be consistent with your network cable connecting your NIC to a switch which is turned on, but nothing else is plugged into the switch, _if_ the only "tell" IP address you saw is yours.

It's also consistent with your seeing the ethernet broadcasts but not the replies. That's what you should expect.

I would not be concerned about that traffic.



--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux