11 or 100 pps is nothing - not even close to anything to worry about. A 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control features default to several thousand pps, so really - 11 or a 100 is a tiny fraction of a percent or available bandwidth.
Switching Loops don't cause broadcast storms. If there is a loop it won't be found looking for excessive broadcasts. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Queiroz Sent: Saturday, April 12, 2008 10:13 PM To: [email protected] Subject: Re: [Ntop] NTOP against Broadcast Storms Hello Jeronimo, Broadcast storms normally are result of switching loops. You better avoid them using STP-enabled switches. 2008/4/12, Jeronimo Bezerra <[EMAIL PROTECTED]>: > > > Hello All, > > I installed ntop in my job to just detect broadcasts storms in my network. I > was satisfied until yesterday one computer with some trouble ( i didn't > locate it ) started to send almost 11.000 pps of ARP Requests ( broadcast ). > I sniffered with tcpdump to discover the source and tried to find the mac in > ntop. I didn't find the ip address from source, so i went to ntop, clicked > in "All protocols" and in Throughput, and I saw that the biggest user was > using 100 pps ( i saw in Packets-Current). So, the NTOP didn't help me to > detect the anomalous traffic ( i now that 100 pps in broadcast is a lot, but > it's not the same of 11.000 pps ). > > So, I use Debian Etch, run the ntop with this line: > > /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --skip-version-check -a > /var/log/ntop/access.log -i eth1.14 -p /etc/ntop/protocol.list -O > /var/log/ntop > > and this eth1 is a tagged vlan (14) port without IP. > > I read almost all documentation in ntop.org, i saw ntop does a lot more > things that i could possible imagine, but didn't find nothing specific about > broadcast storms. > > So, what detail I forgot ? Any help? > > Thanks a lot > > Jeronimo > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
