----- Original Message -----
From: "GertJan Spoelman"
On Thursday 08 May 2003 10:28, jiade wrote:
I got arp storm in my network(30 PCs and some WLAN devices), about 10,000 arp requests per second, no responses,lasting for severalminutes,all these arp requests have the same content which looks very strange:
SRC DST info 0060e0017d96 0060f0017d96 who has 192.168.1.188? tell 192.168.1.188
it's an arp request but the DST is not a broadcast, and the DST is a real MAC address of one of my netcards while the SRC is a fake one. This happens several times a day but not regularly. Who will send millions of this kind of arp requests?
Later I captured these packets and replayed this storm at 10000packets/s, no matter what kind of upper level protocol stuff (ARP,UDP or somethingelse) I filled in these packets ,they will jam up the Linux box whose MAC address is the same as the SOURCE (not the destination) MAC address of these packets.
First you say the SRC is fake and now you say it locks up the SRC or did you also replace the SRC address?
Sorry, I've made a mistake, the SRC is real but the DST is fake.
When I change the packets'source MAC address with the destination MAC address,the Linux box works well.I don't know the reason.
Need your help, thanks.
Since the SRC and DST MAC addresses differ only 1 bit (e0 / f0) it could well be that it comes from the same NIC maybe it has some weird hardware defect, first thing I would do is replace that NIC. --
I did replace the NIC, but it was the same, the storm packets' SRC and DST MAC addresses still differ 1 bit or 2.
GertJan
Email address is invalid, so don't reply directly, I'm on the list.
Jiade