[PLUG] Traffic tracking trouble

Adam Zion on 3 Aug 2011 12:28:30 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Traffic tracking trouble

From: Adam Zion <azion1995@gmail.com>
To: PLUG <plug@lists.phillylinux.org>
Subject: [PLUG] Traffic tracking trouble
Date: Wed, 3 Aug 2011 15:28:25 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=K6jkqedb98j7AbZK+NoUXp5ktmC1ES/giiB6kr0yrV4=; b=B4zb6dSft9rZt409C4VEdYeCZha2DfiqksM03yB+zwN4vOPjfO9actCPcpxvn+QJNF 9fAnug7MaXwA2YAaNVnk1B+E6qByIDb5ilEc7IjxVKGyD7KhFsFrkJPrp7kjgeG4bvbx dTbIRXmEBLTd26D9zqreo7DLVK5cj6Xg1IjHI=
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org

We've had poor performance on the network at my location, and it
occurred to me that the reason could be a chatty host on the network.
So, I fired up Wireshark (formerly known as Ethereal, a packet
sniffer) and took a look.

I found that our AdTran router was blasting out constant ARP
broadcasts trying to find various equipment which was no longer
present. One bit was easy to fix: an NTP server which my predecessor
at this location had removed. I switched my linux box over to the IP
formerly used by the missing server, and all the ARPs looking for it
vanished (well, to be more accurate, the AdTran would send an ARP or
two, get a response, and then shut up).

However, we also found a number of ARPs related to the former IP for
one specific network printer, and we can't find what PC is out there
that's trying to connect to the old IP. To my way of thinking, we can
address this in 3 ways: track down the computer(s) making the requests
for the old IP, somehow prevent the AdTran from responding to requests
for said by IP by blasting out ARPs, or just set up a host on the IP
to respond to the requests.

Is there some sort of tool that can track the host that's looking for
the old IP, and thereby spawning the ARPs? Bear in mind that this may
well be a host that's at a remote site, since I've checked every
system over here that could be looking for it, and not found it.

This may seem minor, but my Wireshark logs find that these ARP
requests- looking for this single absent IP- make up anywhere from
10-20% of total network traffic here. So, if we could get rid of them,
I rather think it would be a big help on performance.

-Z

-- 
Adam+Zion, MCSE+I, Registered Linux User #471910
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Traffic tracking trouble
  - From: Carl Johnson <cjohnson19791979@gmail.com>
- Re: [PLUG] Traffic tracking trouble
  - From: Rich Freeman <r-plug@thefreemanclan.net>

Prev by Date: [PLUG] [plug-announce] Wednesday, Aug 3, 2011: PLUG Central - Lightning Talks (7pm at USP)
Next by Date: Re: [PLUG] Traffic tracking trouble
Previous by thread: [PLUG] [plug-announce] Wednesday, Aug 3, 2011: PLUG Central - Lightning Talks (7pm at USP)
Next by thread: Re: [PLUG] Traffic tracking trouble
Index(es):
- Date
- Thread