Wireshark-users: Re: [Wireshark-users] Tons of ARP packets...?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: IchBin <weconsultants@xxxxxxxxx>
Date: Wed, 11 Jul 2007 00:13:22 -0400
Richard Mundell wrote:

I took a quick look...

ARP traffic appears to be what is essentially administrative traffic from
other DSL customers (on the internet side of your connection) so your ISP's
router can figure out IP address to Ethernet address mappings (might also be
DHCP traffic... Not sure if that shows up in Wireshark as ARP traffic...
Happy to be corrected on that!). I'm guessing your PC is directly connected
to the cable modem without a router? You really should invest in a
router/firewall to sit between your cable modem and your PC. Hardware
firewalls are typically more secure than software firewalls and it'll
isolate you from that ARP traffic (not that it's doing any harm).
Entry-level Linksys or D-Link products are less than $50 and should work
straight out of the box.

The other traffic in the capture is a high volume of (failed) DNS lookups
from your PC to a host called xxz0n3dxx.dyndns.org. I've confirmed this DNS
entry doesn't exist, but I'm wondering if you might have some malware on
your PC which is trying to "phone home". Make sure your anti-virus is up to
date and run a full system scan (and try downloading the Spybot or MS
Windows Defender products and scanning with those too).

All in all, though, over the 10 second period all of these packets are less
than 52KB (kilobytes) or 416Kb (kilobits) - no more than 41kb/s on average,
so that's not the reason why your 6Mb/s connection is running "slow". If you
do have a malware-infected PC it could be making your network card generally
run slow. If your PC checks out clean (or you clean it), you might want to
try another speed test tool before going back to your ISP. There's a good
free one, geographically located fairly near you, here:
http://eng.nac.net/bwtest/.

Hope that helps.

Richard


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of IchBin
Sent: Tuesday, July 10, 2007 10:28 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Tons of ARP packets...?

Hello all, this is my first post here. I am not a network person and this is
why I a posting here. Wireshark is running without any problems but having a
hard time understanding why I am being bombarded with ARP packets.

The end of last week I started to be bombarded with ARP packets. I have a
Comcast Internet Cable connection. I have a slow 3.5MB/sec connection.
I'm suppose to get up to 6mb/sec but that is another story by it's self.

I am running on Windows XP SP2 and current on all updates. The cable lite on
my modem, for displaying traffic, is just about solidly lit as if
downloading a large file all the time. I traced about 10 seconds with
Wireshark and found that three fourths of the traffic are ARP packets.

My concern is the bandwidth that it must be eating up. I initially thought
that it was a hardware problem on Comcast's network. I called them and they
checked my connection and said all is OK. They did not see this traffic. On
my PC the funny thing is that if I sign in to another window's XP SP admin
user the cable modem lite acts normal again and I do not see the ARP
traffic.

Can any one give me some insight or directions on resolving this problem. It
has to be a problem. I have never seen traffic like this on any modem I have
ever used. Is this the providers problem or my problem that I could resolve.

I have attached a 10 trace dump to this message. Here is some of my Network
connection information:

Physical Address: 00-00-88-24-2B-BA
IP Address:       69.139.93.171
Subnet Mask:      255.255.255.0
Default Gateway:  69.139.93.1
DHCP Server:      68.87.64.10
DNS Servers:      68.87.64.146, 68.87.75.194
Thank you Richard for your analysis. Sorry I replied to your email address. Well I guess it would be nice if I replied to the "gmane.network.wireshark.user: Authorization required" email...duh
I do run WinXP SP 2 firewall. I was running ZoneAlarm Pro but it was slowing down my machine. I am currently on an old PC that is on its last leg. I am building a new one to replace this one presently.
Anyway, I also run Avast! Pro, Ad-adware SE Pro, Spywareblaster and naturally Spybot Search and Destroy. Also run Registry Mechanic. I have run HJackThis and Fixwareout and cleaned up a lot of stuff. The problem happen after I cleaned up my machine. I mean to say I have been running clean for a few weeks before this problem.
I have a 591K Host file that I use from http://www.mvps.org/winhelp2002. I would guess this is why there are so many bad DNS lookups. But then again all of the websites in the host file points to my localhost so maybe I should look into this xxz0n3dxx.dyndns.org.
I think my machine is clean now but suspect what you mentioned about the phone-home problem maybe true. It kinda supported by the fact that if I sign off my account which has admin privilege, I use it all of the time, and sign-on to another admin user I do not see this activity on the modem. Yes, I am not going through a router\firewall. It's a direct connection to cable modem and then computer USB port.
I was just concerned that all of a sudden my cable modem light is on all of the time like it do some heavy work. 

--
Thanks in Advance...                           http://weconsulting.org
IchBin, Philadelphia, Pa, USA http://ichbinquotations.weconsulting.org
______________________________________________________________________
'If there is one, Knowledge is the "Fountain of Youth"'
-William E. Taylor, Regular Guy (1952-)