Hello Jeronimo, Broadcast storms normally are result of switching loops. You better avoid them using STP-enabled switches.
2008/4/12, Jeronimo Bezerra <[EMAIL PROTECTED]>: > > > Hello All, > > I installed ntop in my job to just detect broadcasts storms in my network. I > was satisfied until yesterday one computer with some trouble ( i didn't > locate it ) started to send almost 11.000 pps of ARP Requests ( broadcast ). > I sniffered with tcpdump to discover the source and tried to find the mac in > ntop. I didn't find the ip address from source, so i went to ntop, clicked > in "All protocols" and in Throughput, and I saw that the biggest user was > using 100 pps ( i saw in Packets-Current). So, the NTOP didn't help me to > detect the anomalous traffic ( i now that 100 pps in broadcast is a lot, but > it's not the same of 11.000 pps ). > > So, I use Debian Etch, run the ntop with this line: > > /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --skip-version-check -a > /var/log/ntop/access.log -i eth1.14 -p /etc/ntop/protocol.list -O > /var/log/ntop > > and this eth1 is a tagged vlan (14) port without IP. > > I read almost all documentation in ntop.org, i saw ntop does a lot more > things that i could possible imagine, but didn't find nothing specific about > broadcast storms. > > So, what detail I forgot ? Any help? > > Thanks a lot > > Jeronimo > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
