9/22 I'm trying to debug the source of a particular type of arp
traffic on my network. Basically I'm seeing something like
the following at a rate of about 1/s from dozens of hosts:
11:17:14.372348 arp who-has xxx (Broadcast) tell xxx
Any ideas about where to get started? (I've traced the
cabling to and from our switches and it looks like there
are no loops, in case that helps).
\_ are the xxx's censoring, or is that the actual output?
\_ censoring. --seen it elsewhere, --!OP
\_ Welchia virus
\_ Unless Redhat's 7.3 cds are infected with
this, I doubt it. My network consists almost
exclusively of systems running 7.3 (many are
kickstarted every few days).
\- look at the mac address which should give you the
OUI ... you can figure out the mfgr [sic] of the
ethernet card. do you have access to your switch?
you can dump the mapping tables and get a physical
switch port. --psb
\_ When I remove an offending system from the
switch its arp traffic goes away, but almost
half of the systems on our switches are
producing this type of arp request. I'm
guessing it is some sort of config problem
either on the nic or the switch.
\_ Check /etc/sysctl.conf. See if it's trying to
act as a gateway. Also check for routed and
the like
\_ I see tons of this shit on my home cable modem. Annoying but
harmless if it's from the outside. Is that an external or all-
internal switch you're looking at?
\_ Internal switch. This is all local traffic. There is
so much arp traffic that it is causing significant
degradation in the network throughput. I have gige
switches (4 cisco 3750s) and all the systems have gige
nics (intel etherexpress 1000 or something) but I can
barely get 100Mb transfer speeds (6000K/s) between
systems.
\_ You sure there isn't some rogue windows box on that
net? Check for SMB traffic and other windowsy crap
on your net.
\_ I removed our switches from the main net so
that only the linux boxes and a couple of u10
were on the network and I still get this traffic.
I think that the gateway thing might be the
issue. I'll look at that today.
\_ Stopping these arps is not going to fix your
slow network problem. Do the math: 100 hosts *
1 arp/sec * 1024 bits/arp = 100 kb/sec. This
is nothing to your 1GB/s network. Your problem
is a full duplex/half duplex autonegotiation
problem or perhaps a 1GB/100MB auto negotiation
problem, I bet. -ausman
\_ Ding. Ausman wins. I would also posit that
the arps are normal. It's called Layer 2.
\- are you seeing ethernet frame errors?--psb |
http://csua.com/feed/