Ever since the first day of Sobig.F, bandwidth graphs on my server at Fastservers.net have shown a big increase in incoming traffic. Previously, most of my traffic was outbound, as one would expect with a webserver. Now, incoming traffic is roughly double outgoing.

Poking around today with tcpdump, I see lots of 'arp who-has' traffic. I'm seeing more than 200 of these per second, and I'm wondering what's normal for arp packets.

I also ran 'arp -e', and see only 3 machines listed in the ARP cache on my machine.

It really depends how many devices are on your local subnet.

Even so, seeing 200/sec constantly of these says to me that's there's something odd going on, because ARP requests once looked up successfully should be cached (for 10 to 20 minutes - depends on the device).

Unless of course something is generating lots of ARP-who-has for IPs which don't exist, but that still sounds odd. Maybe one of these viruses targets local subnet IPs quite fiercely.

Strange aside, I am seeing something quite similar on my cable modem recently, amounting to about 5Kb/s, it's only started happening relatively recently so I assume it's some kind of firmware bug on some piece of equipment somewhere.