This is one area in which I am interested and a decidedly NON-expert. How much is too much?
In an ethernet network you may find that a huge number of packets are broadcast - especially arp. Having said that - we have noticed some machines infected with the welchia virus send out what amounts to an arp flood (in our eyes anyway). If you've got a shitload (technical term for "lots") of arps from a limited number of devices, check them out for virius infection (not just for the one I mention)
As for how much is too much - all I've found are recommendations to take baseline measurements during the good times so that you can spot changes - and treat all unexpected dramatic changes as a problem
Oh - you might like to test that your port-mirroring is working and you're not missing the marjoity of TCP traffic - on a separate machine (different switch) copy something from a file-server or something and see if you can spot it in the capture
Dave
>>> eperez@xxxxxxxxxxx 27/05/04 08:40:43 >>>
My network started to slow down a few days ago. So I installed latest ethereal
and winpcap for windows in a NT Server 4.0. All the network is switched and I
was trying to find some cause of slowdown. I am aware of the limitations of
sniffing on a switched network so I set the switches to replicate traffic so i
can see it with ethereal.
So far so good, but in the main ethereal windows where it shows how many packets
per protocol has received during the sniffing session I found that after 1 hour
of sniffing 78% of my traffic was ARP and the rest was TCP(normal smb, tns,
etc).
All the network has windows machines (95,98,NT,2000,XP) all servers are NT 4.0
and the network has one PDC one BDC and one WINS server.
I did a search on the mailing list but found no clue about it. Maybe this is
normal but I just dont know.
Comments/Flames/Suggestions are welcomed.
Erick.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
