Excessive network traffic -

John Summerfield debian at herakles.homelinux.org
Wed Nov 28 23:58:43 UTC 2007

Bob Goodwin wrote:
> John Summerfield wrote:
>> tcpdump -i eth1 -w /tmp/trace -s 9999 port 53
>> After a while,
>> ^C
>> then
>> tcpdump -r /tmp/trace <and whatever the man page suggests and you find 
>> attactive> | less
> Looking at port 53 produced nothing in half an hour with only tcpdump 
> running so I assume wireshark or iptraf was causing the dns messages.  
> However I can see a lot of data if I don't limit it to a particular 
> port.  Interpreting the data is another matter.
> Apparently eth1 is a slow NIC but that's ok for what I'm doing ...  It 
> seems to me I should be able to stir up some activity with another 
> computer, this one [box6], and see something happen in the tcpdump data 
> stream [on box10].  How can I identify data for my system?  Presumably 
> most of what I am seeing is data directed at other subscribers.
> So I've got all this data and don't know how to deal with it.  Any help 
> appreciated.
> tcpdump -r /tmp/trace
> reading from file /tmp/trace, link-type EN10MB (Ethernet)
> 14:48:00.580934 arp who-has tell
> 14:48:00.581241 arp who-has tell
> 14:48:05.034887 arp who-has tell
> 14:48:05.035318 arp who-has tell
> 14:48:06.038873 arp who-has tell
> 14:48:06.039296 arp who-has tell
> 14:48:08.399597 arp who-has tell
> 14:48:08.400263 arp who-has tell
> 14:48:09.448529 arp who-has tell
> 14:48:09.449413 arp who-has tell
> 14:48:10.668593 arp who-has tell
> 14:48:10.669371 arp who-has tell
> 14:48:13.233549 arp who-has tell
> 14:48:13.234232 arp who-has tell
> 14:48:15.694350 arp who-has tell
> 14:48:15.694784 arp who-has tell
> 14:48:17.243791 arp who-has tell
> 14:48:17.244236 arp who-has tell
> 14:48:19.063647 arp who-has tell

IP packets on ethernet are wrapped in ethernet packets. Think of putting 
an IP-addressed packet inside an envelope and writing an ethernet 
address on the outside.

To find the address, the IP stack sends out an ethernet broadcast 
asking who has the address, tell me. That's what you're seeing there.

There should be packets in response. Here's an example from when I 
pinged Linux from Windows:
08:47 [summer at numbat ~]$ sudo tcpdump -i eth0 -nr /tmp/trace
reading from file /tmp/trace, link-type EN10MB (Ethernet)
08:46:14.800714 arp who-has tell
08:46:14.803282 arp who-has tell
08:46:14.803311 arp reply is-at 00:0d:60:f0:ac:5c
08:46:14.803493 IP > ICMP echo request, id 
512, seq 13824, length 40
08:46:14.803541 IP > ICMP echo reply, id 
512, seq 13824, length 40
08:46:15.796336 IP > ICMP echo request, id 
512, seq 14080, length 40
08:46:15.796383 IP > ICMP echo reply, id 
512, seq 14080, length 40
08:46:16.796447 IP > ICMP echo request, id 
512, seq 14336, length 40
08:46:16.796534 IP > ICMP echo reply, id 
512, seq 14336, length 40
08:46:17.796323 IP > ICMP echo request, id 
512, seq 14592, length 40
08:46:17.796374 IP > ICMP echo reply, id 
512, seq 14592, length 40
08:46:19.803915 arp who-has tell
08:46:19.804150 arp reply is-at 00:18:71:84:a5:da
08:46:22.843325 IP > NBT UDP PACKET(138)
08:47 [summer at numbat ~]$

Once the IP stack has the address, it can address the envelope and pop 
it in the mail.

It remembers the association for a time so it doesn't have to repeat the 
lookup too often.

In your case, you're not getting the arp replies. This would be 
consistent with your network cable connecting your NIC to a switch which 
is turned on, but nothing else is plugged into the switch, _if_ the only 
"tell" IP address you saw is yours.

It's also consistent with your seeing the ethernet broadcasts but not 
the replies. That's what you should expect.

I would not be concerned about that traffic.



-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice

You cannot reply off-list:-)

More information about the fedora-list mailing list