Hi there, the thing is, the users werent even doing anything at the time ?

What snmp software is installed on the pc? What network management software (snmp) does the user have loaded that would be sending snmp gets across the network? from the packet capture what OID was it trying to query?

I've seen printer dricer software like this before. I don't remember the brand - it was some years ago (circa 1998.) It was used to print to a networked copier/printer/fax.

Basic operation for the printer driver went something like:

1) Listen for RIP updates to gather subnet information.

2) Send broadcast and directed broadcast snmpgets to each subnet, using a proprietary OID that only the printer could respond to with a valid value.

3) Having received valid response(s), commence connection with printer(s).

However, the traffic generated by that old driver was no where near 25kpps.

Seems there are a few issues here:

A) Why does a printer driver send 25kpps snmpgets?

B) Where/how is it sending them? ie multicast, unicast, sequentially by IP, etc?

C) Which might lead us to the most important question - how can a single PC kill your network?

Carl, can you disclose the driver information and OID(s)? Or perhaps a packet capture where you see the 25k packets/sec?

In the meantime, I'd apply an access-list to your snmp-server community config on your switches and routers so that they will reject all snmp gets from non-authorized hosts. My first guess is that cpu utilization on network devices is reaching critical levels due to either excessive snmp lookups or multicast traffic.

-Michael

Hi there, thanks for your response, we may of sorted the problem now by removing the printer from the pc and installing it on the print server, we have done this on the wireless pc's and not it seems all ok

thanks