Results 1 to 10 of 10
  1. #1
    Join Date
    Apr 2003
    Posts
    237

    ARP Traffic Question

    I have just purchased a dedicated server and noticed that there is a lot of incomming traffic comming into the server. Support have said that its arp traffic and its normal.

    What do you guys think? Is over 200meg a day of arp traffic normal?

    Also is it possible to find out where the traffic is comming from (redhat linux)

    Thanks in advance

  2. #2
    Join Date
    Jul 2003
    Location
    London UK
    Posts
    327
    Sheesh 200meg, no that is not normal.

    That said, with some of the new virus worms around there is an increase in bogus traffic that can cause ARP etc. For example, whichever virus it was that generates lots of ICMP ping requests probing for hosts to attack. For quite a while (months!) I was seeing 5Kb/s inbound on my cable modem in ARP requests from other cable customers compromised machines.

    So, if you are on a subnet with a lot of other hosts you may see spurious ARP broadcasts, even so, 200meg a day sounds like a hell of a lot, and I would suggest there is something wrong somewhere.
    Paul Civati
    Rack Sense Ltd UK Managed Services Provider
    Views expressed are my own and not those of the company.

  3. #3
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    Block the other machines on the subnet in your firewall if possible. They most likely have viruses on them that is sending out that traffic.

  4. #4
    Join Date
    Apr 2003
    Posts
    237
    Thanks paul-xendia,, rob_acunett ...

    I have asked my host to have another look at this and will see what they say...

  5. #5
    Join Date
    Apr 2003
    Posts
    237
    What sort of arp traffic should I be expecting on a good network?

    Current graph is attached (provided by datacentre)...
    Attached Thumbnails Attached Thumbnails graph.png  

  6. #6
    Join Date
    Jul 2003
    Location
    London UK
    Posts
    327
    Well for a start the graph is broken.

    The max/average/current in/out are the wrong way around compared to the blue/greeen in/out legend!

    (Compare the max in/out peaks with the blue/green on the graph).

    So, your problem may incorrect graph and the traffic may be correct, but you'll have to get them to correct the data to clarify.
    Paul Civati
    Rack Sense Ltd UK Managed Services Provider
    Views expressed are my own and not those of the company.

  7. #7
    Join Date
    Jun 2003
    Posts
    673
    Run "tcpdump -n >log" for a while on the server to get an idea of what sort of traffic is getting sent to it.

  8. #8
    Join Date
    Apr 2003
    Posts
    237
    The output from tcpdump shows that I am getting more than 70 arp requests a second

    I noticed the figures below the graph are the wrong way around but am still waiting a response on that too.

    Hopefully all this will sort itself out soon as the network speeds and servers are great. I wouldn't be supprised if this was a cheap host but we are talking about a datacentre with a very good reputation here

  9. #9
    Originally posted by ijg0
    What sort of arp traffic should I be expecting on a good network?

    Current graph is attached (provided by datacentre)...
    It looks like your provider has everyone riding the single vlan 1. What you are seeing is the broadcast traffic of everyone on that LAN.
    www.zubrcom.net | Tel: 1-877-982-7266 / 1-267-298-3232 | [email protected][email protected]
    Hosting, VPS, Servers, Unmetered 10, 100 and Gigabit servers - Colocation - Engineering services
    "Elegant solutions to complex problems in the Internet-centric world"

  10. #10
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,304
    Originally posted by ijg0
    The output from tcpdump shows that I am getting more than 70 arp requests a second
    That's not very many, actually, especially depending on the ARP caching being done (or not done) by the gateway routers. It's possible, for example, that every time a worm probes an unused IP on that VLAN, an ARP request goes out.

    Note that some traffic counters only count IP traffic, so ARP doesn't even show up. In any case, ARPs that don't correspond to your machine are promptly ignored and really have no effect on performance.

    Kevin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •