Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
600
Views
0
Helpful
6
Replies

traffic stats

carl_townshend
Spotlight
Spotlight

‎09-19-2007 11:49 PM - edited ‎03-05-2019 06:35 PM

Hi all, i have monitored my network, we sit on a class b subnet with around 800 devices on it, I have got some stats, there is 40% arp and 60% ip traffic, is that right ? or is that bad ?

Labels:
0 Helpful
6 Replies 6

ohassairi
Level 5
Level 5

‎09-20-2007 03:58 AM

i suppose you are using L2 switches.

i think according to design rules, broadcast should exceed 20%.

i suggest you segment your LAN.

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to ohassairi

‎09-20-2007 04:24 AM

that is the plan, it was running fine up until a few weeks ago, but now all the switches ping very slow but the clients that plug in them ping fine, the only thing I hsve seen is lots of arp traffic

0 Helpful

ohassairi
Level 5
Level 5
In response to carl_townshend

‎09-21-2007 04:02 AM

some viruses are at the origin of these problems: they try to scan the network so they flood the network with arp requests for sequential IPs:

192.168.1.1

192.168.1.2

....

use a sniffer like ethereal to see this arp traffic

hth please vote if you will discover it is a virus

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to ohassairi

‎09-24-2007 02:24 AM

hi there, How will I see if there is a virus via ethereal ?

cheers

Carl

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to carl_townshend

‎09-24-2007 03:08 AM

As he said, look for something scanning the range of addresses, or ARPing rapidly for lots of different addresses. You will spot it when you see it - they are usually pretty evident.

Kevin Dorrell

Luxembourg

0 Helpful

geraldcombs
Level 1
Level 1
In response to carl_townshend

‎09-25-2007 11:16 AM

First of all, you should switch to Wireshark ASAP. We renamed the project in May 2006, and have fixed lots of bugs since then.

40% ARP traffic sounds pretty excessive. As ohassairi and Kevin Dorrell pointed out, this could be a by-product of scanning - as the scanner tries to contact each unknown address on your network, an ARP will be generated. If the ARP requests come from your default gateway, then that's an indication that the scan is coming from the outside. Otherwise, it's probably coming from the inside.

There are other possible reasons for excessive ARPs, including spoofing and spanning tree loops.

As for the slow ping responses from switches, that's pretty normal. As I recall, ICMP processing on most switches receives a low priority.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card