eperez@xxxxxxxxxxx wrote:
[...]
So far so good, but in the main ethereal windows where it shows how many packets
per protocol has received during the sniffing session I found that after 1 hour
of sniffing 78% of my traffic was ARP and the rest was TCP(normal smb, tns,
etc).
[...]
I did a search on the mailing list but found no clue about it. Maybe this is
normal but I just dont know.
It is certainly not normal given that you have normal traffic such as
email, browsing of websites, smb shares, maybe filesharing?
Based on the limited information, the high amount of ARP packages could
be the result of an ARP-poisoning attempt, successful or not. It's not
usual that such a high amount of traffic on a LAN is ARP and I can't
think of another reason for having such a high percentage. Then again, I
don't know too much about networking, so I might miss a certain
situation where that level of traffic is justified.
Is that a private "house-internal" network or a company network?
You may want to check from which machines the high ARP traffic
originates, what the suspicious packets contain and whether the
information given in there is authentic (the IP really has that MAC
adress, it's not mixed up)
It could also be some kind of virus which ARP-floods the network. A
flood should be easily spottable I think.
All my advice is based on the experiences I had and the experiences
others told me about. As I said, I might be missing something important
..it might be harmless after all, although it's not so harmless
considering that you experience a notable slowdown.
--Peter Marquardt, dignition media
