Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

traffic stats

Hi all, i have monitored my network, we sit on a class b subnet with around 800 devices on it, I have got some stats, there is 40% arp and 60% ip traffic, is that right ? or is that bad ?

6 REPLIES
Silver

Re: traffic stats

i suppose you are using L2 switches.

i think according to design rules, broadcast should exceed 20%.

i suggest you segment your LAN.

New Member

Re: traffic stats

that is the plan, it was running fine up until a few weeks ago, but now all the switches ping very slow but the clients that plug in them ping fine, the only thing I hsve seen is lots of arp traffic

Silver

Re: traffic stats

some viruses are at the origin of these problems: they try to scan the network so they flood the network with arp requests for sequential IPs:

192.168.1.1

192.168.1.2

....

use a sniffer like ethereal to see this arp traffic

hth please vote if you will discover it is a virus

New Member

Re: traffic stats

hi there, How will I see if there is a virus via ethereal ?

cheers

Carl

Re: traffic stats

As he said, look for something scanning the range of addresses, or ARPing rapidly for lots of different addresses. You will spot it when you see it - they are usually pretty evident.

Kevin Dorrell

Luxembourg

New Member

Re: traffic stats

First of all, you should switch to Wireshark ASAP. We renamed the project in May 2006, and have fixed lots of bugs since then.

40% ARP traffic sounds pretty excessive. As ohassairi and Kevin Dorrell pointed out, this could be a by-product of scanning - as the scanner tries to contact each unknown address on your network, an ARP will be generated. If the ARP requests come from your default gateway, then that's an indication that the scan is coming from the outside. Otherwise, it's probably coming from the inside.

There are other possible reasons for excessive ARPs, including spoofing and spanning tree loops.

As for the slow ping responses from switches, that's pretty normal. As I recall, ICMP processing on most switches receives a low priority.

141
Views
0
Helpful
6
Replies