Security Basics mailing list archives

Re: Invisible dilemma - ARP flush

From: Bryce Verdier <bryceverdier () gmail com>
Date: Thu, 15 Mar 2007 00:06:25 -0700


I don't know how much this will help... but besides from the investment
of time it can't hurt. Try putting a ntop (http://www.ntop.org) box
between office B and the default gateway. If you can capture everything
over that span of a day or a few... you at least have the information to
start searching for the problem.

Again... i'm not sure if this will help... but I as an unexperienced
person would try it. Information gathering is never a bad thing.

best of luck, and i'd like to hear the results.

bryce


WALI wrote:


We have 100 MBps EoATM link between two office buildings. Say A and B.
Server and majority of users are in Building A while a few (about 150)
are in Building B. Router on the Building B end is configured for QoS
as there is also Voice traffic floating across.

The connection between the two buildings has been recently upgraded to
100 MBps from initial 10Mbps.

Once every 2-3 days, users from building B starts to complain about
slow network connections to Servers lying in Building A. The usual
ping from B to A that takes <1ms, increases to 30-40ms. Ethereal shows
no Broadcast traffic. Building A users complain of no such problems
either. 100 Mbps connectivity between the two buildings remains under
utilised. To me, it seems to be a problem local to Building B. We have
four L3 48 port switches cascaded with gigabit uplink to each other. 2
VLANS and spanning tree enabled on all.

Crazy Solution: I take out any patch cable and re-inserts it, the
problem gets resolved. I reset any switch, the problem gets resolved.
I disconnect any uplink cable between the four switches or do a ARP
reset thru command line, the problem gets resolved for couple of hours
or even days.

But where could the problem lie?

I have ran Nessus, did find quite a few windows unpatched machines in
Building B that had lost their connection with WSUS, so did the
patching. Made sure that all the machines are running latest
anti-virus definitions. Sent a mail across to all users to get their
laptops checked for latest updates (few have returned although).

What else can I do next time the problem recurs. It's a mystery till
now. The switch support provider has upgraded the IOS and says there
is nothing wrong with the switch. The VoIP provider maintains there
instruments are fine. Is there a bandwidth monitoring free software?
What else can help me here apart from routine wireshark/ethereal?

Where else could the problem lie?

Current thread:

RDP Security Tornado (Mar 06)
- Re: RDP Security Brent Gardner (Mar 06)
- Re: RDP Security WALI (Mar 07)
  - RE: RDP Security Roger A. Grimes (Mar 08)
- Message not available
  - Invisible dilemma - ARP flush WALI (Mar 12)
    - Re: Invisible dilemma - ARP flush Bryce Verdier (Mar 15)
    - Message not available
    - RE: Invisible dilemma - ARP flush WALI (Mar 23)
- RE: RDP Security Bryan Ponnwitz (Mar 12)
- <Possible follow-ups>
- Re: Re: RDP Security alegr1 (Mar 07)
  - RE: Re: RDP Security Roger A. Grimes (Mar 07)