I beg to differ. When a switch is looped it magnifies any broadcasts indefinetaly.
Try it. Just plug a switch into itself, send a broadcast and see what happens. Shane -----Original Message----- From: Gary Gatten [mailto:[EMAIL PROTECTED] Sent: Monday, April 14, 2008 12:07 PM To: [email protected] Subject: Re: [Ntop] NTOP against Broadcast Storms 11 or 100 pps is nothing - not even close to anything to worry about. A 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control features default to several thousand pps, so really - 11 or a 100 is a tiny fraction of a percent or available bandwidth. Switching Loops don't cause broadcast storms. If there is a loop it won't be found looking for excessive broadcasts. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Queiroz Sent: Saturday, April 12, 2008 10:13 PM To: [email protected] Subject: Re: [Ntop] NTOP against Broadcast Storms Hello Jeronimo, Broadcast storms normally are result of switching loops. You better avoid them using STP-enabled switches. 2008/4/12, Jeronimo Bezerra <[EMAIL PROTECTED]>: > > > Hello All, > > I installed ntop in my job to just detect broadcasts storms in my > network. I was satisfied until yesterday one computer with some > trouble ( i didn't locate it ) started to send almost 11.000 pps of ARP > Requests ( broadcast ). > I sniffered with tcpdump to discover the source and tried to find the > mac in ntop. I didn't find the ip address from source, so i went to > ntop, clicked in "All protocols" and in Throughput, and I saw that the > biggest user was using 100 pps ( i saw in Packets-Current). So, the > NTOP didn't help me to detect the anomalous traffic ( i now that 100 > pps in broadcast is a lot, but it's not the same of 11.000 pps ). > > So, I use Debian Etch, run the ntop with this line: > > /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --skip-version-check -a > /var/log/ntop/access.log -i eth1.14 -p /etc/ntop/protocol.list -O > /var/log/ntop > > and this eth1 is a tagged vlan (14) port without IP. > > I read almost all documentation in ntop.org, i saw ntop does a lot > more things that i could possible imagine, but didn't find nothing > specific about broadcast storms. > > So, what detail I forgot ? Any help? > > Thanks a lot > > Jeronimo > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
