ohassairi Thu, 09/20/2007 - 03:58

i suppose you are using L2 switches.

i think according to design rules, broadcast should exceed 20%.

i suggest you segment your LAN.

carl_townshend Thu, 09/20/2007 - 04:24

that is the plan, it was running fine up until a few weeks ago, but now all the switches ping very slow but the clients that plug in them ping fine, the only thing I hsve seen is lots of arp traffic

ohassairi Fri, 09/21/2007 - 04:02

some viruses are at the origin of these problems: they try to scan the network so they flood the network with arp requests for sequential IPs:

192.168.1.1

192.168.1.2

....


use a sniffer like ethereal to see this arp traffic


hth please vote if you will discover it is a virus

Kevin Dorrell Mon, 09/24/2007 - 03:08

As he said, look for something scanning the range of addresses, or ARPing rapidly for lots of different addresses. You will spot it when you see it - they are usually pretty evident.


Kevin Dorrell

Luxembourg

geraldcombs Tue, 09/25/2007 - 11:16

First of all, you should switch to Wireshark ASAP. We renamed the project in May 2006, and have fixed lots of bugs since then.


40% ARP traffic sounds pretty excessive. As ohassairi and Kevin Dorrell pointed out, this could be a by-product of scanning - as the scanner tries to contact each unknown address on your network, an ARP will be generated. If the ARP requests come from your default gateway, then that's an indication that the scan is coming from the outside. Otherwise, it's probably coming from the inside.


There are other possible reasons for excessive ARPs, including spoofing and spanning tree loops.


As for the slow ping responses from switches, that's pretty normal. As I recall, ICMP processing on most switches receives a low priority.

Actions

This Discussion