Customer login  |   Contact us
Home Company Products Support Purchase
Forum Home » Network Probe

Topic: Help on where to go from here..
Replies: 1   Pages: 1   Last Post: Sep 13, 2007 5:09 PM by: Eivind Pedersen


Back to Topic List Back to Topic List
Replies: 1   Pages: 1  
mCassidy

Posts: 1
Registered: Sep 12, 2007
Help on where to go from here..
Posted: Sep 12, 2007 6:18 AM
  Reply

I am looking for some help on identifying what type of activity is
possibly happening on my home computer and what I can do about it. (I am using Network Probe on my home computer and am not sure what to do next with the information I have found).

I suspected that there was SOME type of activity as my HDD always
seems to be running..just a teeny little bit at a time but when there
is nothing going on in the room I notice it. I went through the
updates of Spybot, Ad-aware, Spywareblaster.. cleaned up some usual
junk but nothing serious. I did a little bit of reading and ended up
downloading Network Probe. I figured out how to view the activity
from my computer and right away it looked like I had a lot of activity
from a Protocol named ether.ARP. Looking at the conversations using
this protocol I see a growing list transferring anywhere from ~1KB up
to about 30KB over a varied amount of packets.

For example, the largest size (32.7KB) was first seen at 23:01:26
(when I first started the program) and by the latest sighting at
23:49:56 had transferred (now) 33.3KB over 533 packets. Neither the
Source Host or Destination Host matches my IP address/Default Gateway.

ether.ARP is the top protocol for activity in the past hour with 3.7MB
over 60,000+ packets!! That just doesn't seem like normal activity!

Looking closer at the list of conversations for this protocol I see a
few key Source Hosts:
1) cpe-xx-xxx-xx-x.cinci.res.rr.com
2) VOIP-xx-xxx-xx-x.cinci.rr.com
3) user-xxxxxxx.cable.mindspring.com
4) rrcs-xx-xxx-xx-xxx.central.biz.rr.com
5) dhcp-xx-xx-xxx-xxx.cinci.twc.wcoilexpress.com

(There are a couple variations of the xx's through the list but these
are the major hosts)

Anyhow, I am a little stumped from here. Some of the Source Hosts
share the same IP as my Default Gateway. I am wondering what I can do
with this information and how I can stop this information from being
transferred through my computer? I thought that I could possibly
block each of these addresses.. but I am not sure that is the best
solution.

Hopefully someone can help me towards the right direction.

Thanks

(I will add that I am (obviously) not into networking/security by trade - but this product has been great and already shown me a ridiculous amount of information I had not known about. Thanks!)

Eivind Pedersen

Posts: 472
From: Oslo, Norway
Registered: Jun 11, 2002
Re: Help on where to go from here..
Posted: Sep 13, 2007 5:09 PM
  Reply

Most likely you have connected the computer running Network Probe to a non-SPAN port on the switch (or using a wireless access point). Thus you will only see traffic going from/to this computer, as well as broadcast and multicast traffic. ARP (Address Resolution Protocol) is one type of broadcast traffic. It works by broadcasting a packet to all hosts on the network, where the header includes the IP address the sender is interested in communicating with.

So I believe the high amount of ARP data is normal, especially if you are connected to a network with many nodes. It _could_ be some kind of ARP storm, but it should not lead to activity on your HDD. Broadcast storms can lead to loss of network connectivity.

Best regards,
Eivind Pedersen
ObjectPlanet, Inc.



© 1998-2019 ObjectPlanet, Inc. Øvre Slottsgate 5, 0157 Oslo, Norway Tel (+47) 2233 3360 | Fax (+47) 2233 3361