[OT] Traffic from ff:ff:ff:ff:ff:ff in switched environment

[OT] Traffic from ff:ff:ff:ff:ff:ff in switched environment

[Eduardo Fernández]

Hi all,

i know this is not strictly about netfilter, but here it goes:

While I was deploying my firewall script, I noticed some weird traffic
from mac ff:ff:ff:ff:ff:ff in my router's private interface. Later on I
noticed the same traffic in other computers within the network. The
traffic was arp who-has packets at a constant rate of about 35 kbytes/s.
It's a /16 network in a switched environment. 

Thank you very much in advance. Best regards,

Eduardo

Re: [OT] Traffic from ff:ff:ff:ff:ff:ff in switched environment

[Jason Opperisano]

On Tue, 2004-11-16 at 16:45, Eduardo Fernández wrote:
> Hi all,
> 
> i know this is not strictly about netfilter, but here it goes:

it sure isn't.

> While I was deploying my firewall script, I noticed some weird traffic
> from mac ff:ff:ff:ff:ff:ff in my router's private interface. 

it's more likely that ff:ff:ff:ff:ff:ff is the destination mac, not the
source...

> Later on I
> noticed the same traffic in other computers within the network. The
> traffic was arp who-has packets at a constant rate of about 35 kbytes/s.
> It's a /16 network in a switched environment.

arp "who-has" packets are vital to the proper functioning of a local
area network--it's how each host finds the MAC address associated with
each IP on the network.

the volume of traffic you're seeing is a symptom of the fact that you
have a /16 configured as a flat, switched network.

the guy that i learned TCP/IP networking from once told me a good
guideline is to never have more than 1024 hosts in a single layer-2
broadcast domain, as the broadcast traffic becomes unmanageable.  he
knew a whole lot more than i ever will--so i try to stick to that when i
(re)design a network.

-j

--
"Silly customer, you cannot hurt a Twinkie!"
	--The Simpsons

Re: [OT] Traffic from ff:ff:ff:ff:ff:ff in switched environment

[Eduardo Fernández]

El mar, 16-11-2004 a las 17:02 -0500, Jason Opperisano escribió:
> it's more likely that ff:ff:ff:ff:ff:ff is the destination mac, not the
> source...

Nope, I was quite surprised too, but that's the src mac.

> arp "who-has" packets are vital to the proper functioning of a local
> area network--it's how each host finds the MAC address associated with
> each IP on the network.

I've seen some viruses lately trying to forge their ip/mask, maybe this
is the cause, since I've never since traffic FROM that mac.

> the volume of traffic you're seeing is a symptom of the fact that you
> have a /16 configured as a flat, switched network.
> 
> the guy that i learned TCP/IP networking from once told me a good
> guideline is to never have more than 1024 hosts in a single layer-2
> broadcast domain, as the broadcast traffic becomes unmanageable.  he
> knew a whole lot more than i ever will--so i try to stick to that when i
> (re)design a network.

Mmm, it's a /16 but I don't have more than about 500 computers. Maybe I
should resize the network to a /22 or so.

Thank you very much,

Eduardo