Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: RE: [Ethereal-users] 78 percent of ARP packets on the network

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Brett Wheeler" <brett.wheeler@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 27 May 2004 09:16:14 +1000
Erick,
We had a similar arp traffic figure at one stage, it turned out to be the
W32.Welchia.Worm.(AKA W32/Nachi.worm, WORM_MSBLAST.D, Lovsan.D)

We found that each PC was trying to map all the other machines by using the
subnet mask and current address.

Since we use static addresses here we were able to capture the source
addresses of infected PCs by capturing ARP requests addressed to an unused
IP and run a cleaning program on each.

Have a look at http://www.sophos.com/support/disinfection/nachia.html for a
cleaner.

Good Luck,
Brett Wheeler
Network Administrator
Daramalan College
Dickson ACT 2602
Australia
Mob (+61) 0417 228 714
email brett.wheelerATdaramalanc.act.edu.au

****************************
* Only the good die young, *
* I love my immortality.   *
****************************





----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx]On Behalf Of
eperez@xxxxxxxxxxx
Sent: Thursday, 27 May 2004 06:41
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] 78 percent of ARP packets on the network


My network started to slow down a few days ago. So I installed latest
ethereal
and winpcap for windows in a NT Server 4.0. All the network is switched and
I
was trying to find some cause of slowdown. I am aware of the limitations of
sniffing on a switched network so I set the switches to replicate traffic so
i
can see it with ethereal.
So far so good, but in the main ethereal windows where it shows how many
packets
per protocol has received during the sniffing session I found that after 1
hour
of sniffing 78% of my traffic was ARP and the rest was TCP(normal smb, tns,
etc).

All the network has windows machines (95,98,NT,2000,XP) all servers are NT
4.0
and the network has one PDC one BDC and one WINS server.

I did a search on the mailing list but found no clue about it. Maybe this is
normal but I just dont know.

Comments/Flames/Suggestions are welcomed.

Erick.


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube