mcd
Matthew Tagg wrote:
1. The refresh period is never generally > 5 minutes, and the problem existed much longer than that.
2. We cleared ARP tables on the managed switch constantly.
3. We also cleared ARP on the windows machine "ARP -D *"
----- Original Message ----- *From:* KanjiSoft Systems <mailto:[EMAIL PROTECTED]> *To:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *Sent:* Tuesday, November 30, 2004 3:46 AM *Subject:* Re: [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
Matthew,
Switches keep track of which mac addresses are on which port for
that switch, i.e. you have a table on the switch of mac
address/port. It's possible that there are two entries in the
switch table for the same mac address but different port. This
could happen if you switched a mac card, for example. Switch
tables are supposed automatically obselete their entries after a
while, not sure on the details. Another idea is clear the arp
table on your originating host, which will trigger an arp
broadcast which might reset the switch table entry for the
mac address in question.
mcd
----- Original Message ----- *From:* Matthew Tagg <mailto:[EMAIL PROTECTED]> *To:* [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> *Sent:* Monday, November 29, 2004 7:52 AM *Subject:* [WinPcap-users] Criritcal issue: NIC stealing all ARP requests.
We have a machine in our datacenter that started stealing
ARP's request once we installed WinpCap and Traffic Statistic
(http://www.trafficstatistic.com). Marcel Bartels the
author assures me it not related to his application thus I'm
wondering if any othe WinPCap users have heard of this.
Basically it is answering ARP's from the switch for IP's that
are not assigned to the machine. This had the effect of
DOS'ing other boxes on the same switch for which the IP did
belong to. It was intermittent because obviously the real box
that owned the IP would sometimes beat the rogue machine with
an ARP reply.
The very strange things is after winpcap and trafficstatstic
where uninstalled, it STILL continued to steal ARP's. Then we
swapped out the network card for an identical one, same
problem. We eventually installed a second card this time
1000mpbs Realtek and unplugged the 100mpbs from the network.
This solved it as a temporary measure.
Also Promiscuous and Brodacast mode where unchecked in the
trafficstatistic software.
Additional details:
OS: Windows 2003
Network: Realtek 100MBps
Other software: Netlimiter (installed 1 week before the
incident and later uninstalled too along with winpcap).
Off the top of my head I can suspect:
- buggy drivers
- winpcap bug
- some low-level registry setting changed
Thanks for any help
Regards, Matthew
================================================================== This is the WinPcap users list. It is archived at http://www.mail-archive.com/[email protected]/
To unsubscribe use mailto: [EMAIL PROTECTED]
==================================================================
