Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ARP "storms" in Win98

To: "'[email protected]'" <[email protected]>, [email protected]
Subject: RE: [FW1] ARP "storms" in Win98
From: Iona College Firewall Mailing List <[email protected]>
Date: Wed, 11 Oct 2000 11:54:12 -0400
Cc: "Katz-Braunschweig, Daniel" <[email protected]>
Sender: [email protected]

I've come across this for a number of reasons, all of them software related.

1) Yahoo Pager!  I had a long discussion with the vendor about why it's
trying to communicate with every host on the LAN, they have no clue.
2) HP JetAdmin or JetPrinter drivers, the new version of HP printer drivers
allow you to add an HP jet Direct port almost as a local port, this requires
that the machine build a list of all available printers on the subnet, hence
the ARP storm.

I've found that the easiest way to answer this question is to setup one
workstation with a known IP on the same segment as a sniffer (NB - this does
not have to be on the same segment as the offending machine, ARPs are
broadcast).  Set the sniffer to capture all data from the offending machine
to your test machine.  When the offending machine finally ARPs for the test
machine's MAC, it will get a response.  Whatever software is trying to
communicate to every machine on your network will then send out something,
evaluate what that something is!

In the case of HP JetAdmin is was an SNMP packet for the HP Printer status.
Obviously the test machine didn't respond properly so the offending machine
continued on it's ARP storm.  In the case of Yahoo Pager, it tried to open a
TCP session to a particular port (I don't remember which one).  You'll see
this as a packet with the SYN (Synchronize Sequence Numbers) flag set, check
the destination port and determine what applications use that port.

Good luck.
Daniel Katz-Braunschweig
Network Specialist - Iona College
MCSE, CNA, A+



-----Original Message-----
From: Declan McKibben [mailto:[email protected]]
Sent: Wednesday, October 11, 2000 10:57 AM
To: [email protected]; [email protected]
Cc: [email protected]
Subject: [FW1] ARP "storms" in Win98



Sorry if this is a bit off topic but I have a win98 laptop on the lan and it
constantly arps for 
every address on the subnet (which has a 16bit mask!). I have tried static
and dhcp 
addresses, uninstalling the tcpip stack, reinstalling, changing NICs,
checking all apps and so 
on but can't find the culprit.

Anyone come across this kind of thing before. I would olike to find out
what's wrong beofre 
doing a rebuild.

regards and thanks

declan


Declan McKibben
Dublin
Ireland
+353-87-2243170
+353-1-8366160
mailto:[email protected] 
_____________________________________

Get your free E-mail at http://www.ireland.com


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] ARP "storms" in Win98
Next by Date: [FW1] Bad MIME attachment syntax
Previous by thread: RE: [FW1] ARP "storms" in Win98
Next by thread: RE: [FW1] ARP "storms" in Win98
Index(es):
- Date
- Thread