[HPADM] Excessive ARP activity





Admins,

I've been seeing excessive activity with the arp cache/table on
11.0 (K series, Gig E) and 11.11 (RP5470, 100BT) servers (all patched to
the latest ARPA and LAN cumulative patches). These machines sit on a
switched and subnetted network, including our PC community numbering in
the thousands. Now, I'm seeing arp table entries cyclically increasing
to over 2400+ entries , then getting cleared at the normal ndd arp
"arp_cleanup_interval" interval, which is set to 5 minutes on the
11.0's and 1 minute on the 11.11 machine. (must be defaults because I
never changed that interval in rc.config.d/nddconf. After getting
cleared, they climb back up at a rate of ~ 20 -30 per second. Now, I
know these servers are NOT talking to that many machines. The busiest
production box (11.0 K580) usually has ~ 150 - 180 concurrent
user/connections. And this condition exists on the development 11.0 K
box, with only one or two admins logged in. I dont think any other server
platforms are exhibiting this, either. I'm not running any kind of
routing daemon (routed, gated, etc..) or rarpd either. From what I
understood about ARP, it is my machine that would issue an arp request
for arp activity to be initiated, thus populating my local arp cache table.
But there's NO WAY that I know of, that these servers are trying to talk to
that number of machines. How can these servers be putting out a
broadcast arp request, if that's whats happening, that is being
responded to by all these PC's? Has anyone seen anything similar?

Thx,
Dave




----------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------



--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@xxxxxxxxxxxxx
Name: hpux-admin@xxxxxxxxxxxxx Owner: owner-hpux-admin@xxxxxxxxxxxxx

Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)

Relevant Pages

  • Re: Any reasons to filter ARP packets?
    ... hundreds and maybe even thousands machines. ... the network device is open for ARP packets since ... Essentially the goal of this attack is similar, ...
    (comp.os.linux.security)
  • Re: Translate MAC address to IP address
    ... >> every packet and counts traffic volume by source and destination MAC. ... with a bunch of gateway machines on it. ... results from the local ARP table. ...
    (freebsd-net)
  • [HPADM] [SUMMARY] Excessive ARP activity
    ... Admins, ... I've been seeing excessive activity with the arp cache/table on ... know these servers are NOT talking to that many machines. ... But there's NO WAY that I know of, that these servers are trying to talk to ...
    (HP-UX-Admin)
  • Re: scan for machines in the subnet
    ... the current subnet from one of the machines and get their MAC-adresses. ... Ask the network administrator? ... has intelligence (and you have access to that switch), ... ARP cache, except that the switch should know where everyone is (which ...
    (comp.os.linux.networking)
  • Re: Random packets loss under x86_64 - routing?
    ... > We experience a problem in our amd64 beowulf clusters and could need ... it fails for some machines. ... It only happens with ping, ... entry from the ARP tables. ...
    (Linux-Kernel)