I am looking for some help on identifying what type of activity is possibly happening on my home computer and what I can do about it. (I am using Network Probe on my home computer and am not sure what to do next with the information I have found).
I suspected that there was SOME type of activity as my HDD always seems to be running..just a teeny little bit at a time but when there is nothing going on in the room I notice it. I went through the updates of Spybot, Ad-aware, Spywareblaster.. cleaned up some usual junk but nothing serious. I did a little bit of reading and ended up downloading Network Probe. I figured out how to view the activity from my computer and right away it looked like I had a lot of activity from a Protocol named ether.ARP. Looking at the conversations using this protocol I see a growing list transferring anywhere from ~1KB up to about 30KB over a varied amount of packets.
For example, the largest size (32.7KB) was first seen at 23:01:26 (when I first started the program) and by the latest sighting at 23:49:56 had transferred (now) 33.3KB over 533 packets. Neither the Source Host or Destination Host matches my IP address/Default Gateway.
ether.ARP is the top protocol for activity in the past hour with 3.7MB over 60,000+ packets!! That just doesn't seem like normal activity!
Looking closer at the list of conversations for this protocol I see a few key Source Hosts: 1) cpe-xx-xxx-xx-x.cinci.res.rr.com 2) VOIP-xx-xxx-xx-x.cinci.rr.com 3) user-xxxxxxx.cable.mindspring.com 4) rrcs-xx-xxx-xx-xxx.central.biz.rr.com 5) dhcp-xx-xx-xxx-xxx.cinci.twc.wcoilexpress.com
(There are a couple variations of the xx's through the list but these are the major hosts)
Anyhow, I am a little stumped from here. Some of the Source Hosts share the same IP as my Default Gateway. I am wondering what I can do with this information and how I can stop this information from being transferred through my computer? I thought that I could possibly block each of these addresses.. but I am not sure that is the best solution.
Hopefully someone can help me towards the right direction.
(I will add that I am (obviously) not into networking/security by trade - but this product has been great and already shown me a ridiculous amount of information I had not known about. Thanks!)
Most likely you have connected the computer running Network Probe to a non-SPAN port on the switch (or using a wireless access point). Thus you will only see traffic going from/to this computer, as well as broadcast and multicast traffic. ARP (Address Resolution Protocol) is one type of broadcast traffic. It works by broadcasting a packet to all hosts on the network, where the header includes the IP address the sender is interested in communicating with.
So I believe the high amount of ARP data is normal, especially if you are connected to a network with many nodes. It _could_ be some kind of ARP storm, but it should not lead to activity on your HDD. Broadcast storms can lead to loss of network connectivity.