Hi all, this is my first post here although I am currently studying for my MCSA I think I'll be hanging around for a while. I have a question I hope someone can help me with because currently I can't figure it out and neither can my ISP's tech support. Regularly not all the time but maybe 1 per hour or 1 per 45 minutes I get crazy traffic over my Cable Modem. This traffic isn't going to me at least my firewall shows no logs of traffic and netstat shows no connections but there is crazy amounts of bandwidth being used. I installed a Packet sniffer and I'm showing like 40000 packets in 10 minutes mostly, 99% of them, are ARP protocol stuff from 10.20.0.1 to 10.20.1.95, 10.20.1.96,10.20.1.97 etc. Who is 10.20.95.3? tell 10.20.0.1. Ip config shows my IP as 10.20.10.238 and my local gateway as 10.20.0.1. Whats going on here? Is my cable modem just trying to figure out what computers are on the network or what? This traffic continues whether or not the computer os on or off btw. Thanks for the input.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Strange Traffic on Cable Modem
- Thread starter fixedexe
- Start date
Being that you local gateway is 10.20.0.1 and your assigned ip address is 10.20.10.238 it would seem that you are on a subnets class B network. Possible 10.20.0.0 255.255.128.0 or higher. This would mean that hosts from from 10.20.0.1 (gateway in this case) all the way to 10.20.127.254 would be effectively on the same LAN. you wouldnt see arp requests from other machines unless you were on the same local subnet.
I would think that what you are seeing is your router (gateway 10.20.0.1) communicating with other hosts in this case 10.20.1.97 etc. you can't see traffic directed specifically at those hosts but you can see broadcasts from them and from the router. This is why you are seeing arps.
Asked you ISP how large is the subnet that you are in. If it is big, like say 255.255.128.0, then you could have thousands of hosts inside of it. With all of them broadcasting all the time it would make for a lot of unnecessary traffic. Not to mention its easier to hack when you don't have to cross a router. anyways, ask you ISP how big the subnet is. I bet they are using a huge class B subnet to make routing easier on their end. Otherwise they would have the added adminsitration of having to create seperate smaller subnets each time their user base grew.
hope this helps
I would think that what you are seeing is your router (gateway 10.20.0.1) communicating with other hosts in this case 10.20.1.97 etc. you can't see traffic directed specifically at those hosts but you can see broadcasts from them and from the router. This is why you are seeing arps.
Asked you ISP how large is the subnet that you are in. If it is big, like say 255.255.128.0, then you could have thousands of hosts inside of it. With all of them broadcasting all the time it would make for a lot of unnecessary traffic. Not to mention its easier to hack when you don't have to cross a router. anyways, ask you ISP how big the subnet is. I bet they are using a huge class B subnet to make routing easier on their end. Otherwise they would have the added adminsitration of having to create seperate smaller subnets each time their user base grew.
hope this helps
What it sounds like is somebody plugged in those cable-modem routers in backwards. Plug a Nat router in backwards, and you end up with it trying to resolve the internet.
They call these things broadcast storms, as they go through cut-through switching. Either that, or bad hardware on the line somewhere. I've seen HP jetdirect boxes fail by spewing out 1'es. Kills a local segment.
They call these things broadcast storms, as they go through cut-through switching. Either that, or bad hardware on the line somewhere. I've seen HP jetdirect boxes fail by spewing out 1'es. Kills a local segment.
- Thread starter
- #4
So the router is plugged in backwards you figure? I have a question thats not directly related to this first though can someone explain to me subnetting? As far as this goes here's the official response from my ISP after sending them the packet log.
The traffic you are detecting is from the WADSNET router but it is simply fulfilling ping requests from other cable modems. That isn't unusual except the ordered progression of the ARP requests indicates that there is someone out there with a virus (such as MSBlast) that is sequentially attempting to connect. It isn't unusual, unfortunately. It may be happening at night as someone is turning their computer on and the virus is getting to work then.
I wouldn't panic. Again, it isn't unusual. The Internet Administrator keeps an eye on unusual activity of the computers on the network and does a great job of helping people fix their machines so they don't make modems like yours show all that activity.
So it's incompetence then?
The traffic you are detecting is from the WADSNET router but it is simply fulfilling ping requests from other cable modems. That isn't unusual except the ordered progression of the ARP requests indicates that there is someone out there with a virus (such as MSBlast) that is sequentially attempting to connect. It isn't unusual, unfortunately. It may be happening at night as someone is turning their computer on and the virus is getting to work then.
I wouldn't panic. Again, it isn't unusual. The Internet Administrator keeps an eye on unusual activity of the computers on the network and does a great job of helping people fix their machines so they don't make modems like yours show all that activity.
So it's incompetence then?
I went through this once on a large DHCP setup... only for whatever reason, the DHCP lease was set to an insanely small timeframe... three minutes as I recall.
Thus, every three minutes everything on the network, which consisted of several hosts and other routers would storm the network with DHCP lease requests and many hosts would be flooded off the network in the deluge.
This is an anecdotal experience and may not relate to your problem at all... but it's easy enough to check.
Thus, every three minutes everything on the network, which consisted of several hosts and other routers would storm the network with DHCP lease requests and many hosts would be flooded off the network in the deluge.
This is an anecdotal experience and may not relate to your problem at all... but it's easy enough to check.
I have only 1 question.
Are you with vidéotron lté?
if so, the streaming you see is cause by their online reality show and tv program, they are using their cable for these signal, the packets is comparable to an arp packet but its for their receptor.
It is not "supposed" to be this way since we arent supposed to see the streaming, but since mid october they have a flaw, wich is supposed to be corrected by now.
Could be false information but its what the technician of the company told me when i called them
Are you with vidéotron lté?
if so, the streaming you see is cause by their online reality show and tv program, they are using their cable for these signal, the packets is comparable to an arp packet but its for their receptor.
It is not "supposed" to be this way since we arent supposed to see the streaming, but since mid october they have a flaw, wich is supposed to be corrected by now.
Could be false information but its what the technician of the company told me when i called them
- Status
Similar threads
- Locked
- Question
- Locked
- Question