Hi Jose, thanks for your help! Here we have all kinds of switchs, since unknown :) to cisco 2900. I already had a situation here where the problem was a loop and I fixed. But I already had a situation where I found a computer with almost 1000 diferent viruses creating a big storm of ARP, ipv6 and nbt. So, the point here is not about a loop or virus, but Why the ntop show me just 300 pps and not 11 000 pps? My intention is: how to detect a broadcast storm with ntop?
PS: in this moment, the storm is over, so if was a loop or don't, I can't fix it :) I really thank you for help! Jeronimo José Queiroz escreveu: > Hi Jerônimo, > > There is no reason a computer could send 11K packets of ARP, except > there is a switching loop there. > > Say, do you use in your network those small and cheap switches, said, > DLink DES-1008, Encore ENL-901NWay, etc.? > > When these devices are installed directly on user's rooms, it's easy > that the users change the way the cables are mounted, and create > switching loops. I passed this problem myself... > > PS/Off-topic: Sou do Rio de Janeiro, se quiser posso te ajudar a > identificar o ponto onde está acontecendo esse loop. > > 2008/4/14, Jerônimo Bezerra <[EMAIL PROTECTED]>: > >> Hello All, >> >> i'm sorry for comma, my intention was tell 11 000 pps :) Follow my scenario: >> >> 80 VLANs and each of then with 100 until 600 computers; >> my ntop's NIC is tagged to 3 vlans ( 14, 145, 137 ); >> some unmanaged switchs, some hubs, e some managed switchs on each vlan; >> >> In one vlan ( 145 ) one computer was sending 11 000 pps of ARP >> broadcast, and my ntop was telling me just 300 pps. That's my question: >> why 300 pps? >> My core router was 99% of CPU. >> >> Jeronimo >> >> Graeme Fowler escreveu: >> >> >>> On Mon, 2008-04-14 at 11:06 -0500, Gary Gatten wrote: >>> >> > >> >> 11 or 100 pps is nothing - not even close to anything to worry about. A >> 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control >> features default to several thousand pps, so really - 11 or a 100 is a tiny >> fraction of a percent or available bandwidth. >> >> >> > >> > I think Jeronimo's email ost a bit in translation - it was 11kpps, >> > phrased as "11.000 pps". Not every written language uses a comma as a >> > decimal separator for positive powers of ten :) >> > >> > >> >> Switching Loops don't cause broadcast storms. If there is a loop it >> won't be found looking for excessive broadcasts. >> >> >> > >> > Loops in ethernet networks cause all manner of lunacy, because they >> > amplify anything that isn't unicast. After some time (depending on >> > hardware), they amplify unicast too as the L2 devices involved age out >> > or conflict out their MAC tables; once most switches see MAC addresses >> > on several ports they can get a little confused! >> > >> > Jeronimo - you gave no indication of your network topology, and only a >> > vague description of what happened so it's tricky to tell you why you >> > didn't see the problem with ntop. >> > >> > Graeme >> > >> > _______________________________________________ >> > Ntop mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
