[techtalk] router/switch question

Raven, corporate courtesan raven at oneeyedcrow.net
Fri Feb 8 07:03:15 EST 2002 

Heya --

Quoth Tania M. Morell (Thu, Feb 07, 2002 at 11:29:20PM -0500):
> I was first downloading/installing ximian and later dowloading openssh3...
> the activity went on throughout the whole time it took to do these things.

	Okay, that shouldn't be a lot of broadcast traffic.  So it's
weird that you're seeing this behaviour.  You said that your brother's
XP box shows the same behaviour when he's doing anything on the network?
Are you just seeing this any time any of your computers use the network?
(If so, then either you've got a broken switch, you need to change its
config settings if it has any, or your retailer charged you for a switch
and sold you a hub.)

	If I were you, I'd look up the model of switch online, look for
configuration options, and make sure that what you got is what you paid
for. 
 
> this computer is connected to a linksys router which is then connected
> to the switch. One possible theory could be that switch doesn't
> recognise the mac address of the computer since it's not connected
> directly to the switch.  

	Most switches don't need it to be directly connected to forward
packets properly.  The Linksys may be proxy-ARPing (giving its own MAC
address when the switch sends out an ARP query for the MAC address of
your IP).  If it's not, that might be your problem... the switch won't
ever see a frame with your computer's MAC address, since the router will
redo the layer-2 headers whenever it receives a frame from your
computer.  So the switch wouldn't know "where" your MAC address is, and
would send to everywhere.  But most LAN devices I've seen do proxy ARP
by default.  

> hmm.  i don't have a broadcast frame.
 
	I'm sure there are some crossing your network every so often --
it's  just a type of packet, essentially.  (Frames are packets, but for
Ethernet rather than IP.*  They function at a lower level than IP, so
you often have both on the same network.  The IP packet gets
encapsulated within the Ethernet frame.)  Part of normal network
operations.

* This is a lie -- it's oversimplified.  Ask if you want the correct and
* more complex explanation, but I didn't want to be too confusing off
* the bat.

> I was only downloading stuff.  there was no running apps.  unless you want
> to count netscape.

	Any program that uses the network counts, so yah, Netscape
counts.  It doesn't have to be a daemon or anything.

> I have a w2k machine also on the network which had a virus last week. Do you
> think there could be a virus that attacks stuff on the network? like a
> sniffer or something.
 
	Possible, but usually what happens when you have a machine on
the network sniffing traffic is that it will listen to all traffic sent
to its port (if it's connected to a hub) or fake replies so that all
traffic will be sent to its port as well as to its correct destination
(on a switch).  So if that were the case, you'd see the lights on for
your computer and the compromised machine when you were using the
network, but not for the other computers.

	Also, if you had a virus that was actively attacking things on
your network, you'd see a heck of a lot more traffic than you are seeing.
And you can rest somewhat assured -- sadmind/IIS notwithstanding, there
are few worms and viruses that attack both *nix and Windows machines.

	Honestly, I think the most likely thing is that your switch is
acting like a hub.

Cheers,
Raven

<NCC> Derek says, "anyone interested in buying a Game Cube?"
<NCC> Path says, "joking?"
<NCC> Robert says, "How much? : )"
<NCC> Raven says, "Can I put Linux on it?"

More information about the Techtalk mailing list