[c-nsp] huge amount of weird traffic on poin-to-point ethernet link
Jay Hennigan
jay at west.net
Thu Nov 9 19:25:21 EST 2006
Primoz Jeroncic wrote:
> Ok now my problem... Ethernet utilization on main router went up to
> 100% and when I was checking traffic with netflow I noticed huge
> amount of traffic between 172.16.6.222 and 172.16.10.101. There
> were only less then 30 flows in 30mins, but there were more then
> 6GB of traffic between those two addresses in this time.
> and
> Really weird thing is, that I don't route private prefixes over this
> link and none of routers (main router and L3 switches) has 172.16.0.0/12
> prefix (or part of it) in its routing tables. Also there's no private
> prefixes in any of my routing tables.
>
> Does anyone have some idea how to locate what exactly is happening?
> I don't mean for backwards, but in case if it will happen in future
> again. For now I routed 172.16.0.0/12 to Null0 on main router and
> traffic stoped, but I still want to know what or who caused this
> weird traffic.
>
> PS: Just another info... traffic didn't go out on any other ports on
> main router, so it was really just on link between main router and L3
> switch.
Indeed strange. I'd do a "sho ip arp" on those addresses, see if they
are in any of your layer 2 devices, look up vendor codes to try to
determine the origin. http://coffer.com/mac_find/ is a good tool for
this. Maybe a peer-to-peer app trying to stream to a private IP in error?
We see a lot of weirdness with customer NAT boxes and their DHCP
servers, but they typically cause spew 192.168.0.x or 192.168.1.x. If
you see 192.168.168.168 someone has a Sonicwall at factory default
plugged in wrong.
--
Jay Hennigan - CCIE #7880 - Network Administration - jay at west.net
NetLojix Communications, Inc. - http://www.netlojix.com/
WestNet: Connecting you to the planet. 805 884-6323 - WB6RDV
More information about the cisco-nsp
mailing list