Malware on the system? Bad NIC hardware? Many things are possible including bridging loop. Depending on your switch architecture there are usually things you can implement on the distribution and core layers to mitigate the impact of these issues. If you have Cisco stuff I could help, if something else I can't help much.
Depending where your nTop box is placed (logically) and how it's actually seeing the traffic impacts what it can report on; Ie: mirrored uplinks? Mirrored access ports? Mirrored VLANs? Shared hub? Also, what version of STP are you running? PVST+, RSTP, MST? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Queiroz Sent: Monday, April 14, 2008 12:56 PM To: [email protected] Subject: Re: [Ntop] NTOP against Broadcast Storms Hi Jerônimo, There is no reason a computer could send 11K packets of ARP, except there is a switching loop there. Say, do you use in your network those small and cheap switches, said, DLink DES-1008, Encore ENL-901NWay, etc.? When these devices are installed directly on user's rooms, it's easy that the users change the way the cables are mounted, and create switching loops. I passed this problem myself... PS/Off-topic: Sou do Rio de Janeiro, se quiser posso te ajudar a identificar o ponto onde está acontecendo esse loop. 2008/4/14, Jerônimo Bezerra <[EMAIL PROTECTED]>: > Hello All, > > i'm sorry for comma, my intention was tell 11 000 pps :) Follow my scenario: > > 80 VLANs and each of then with 100 until 600 computers; > my ntop's NIC is tagged to 3 vlans ( 14, 145, 137 ); > some unmanaged switchs, some hubs, e some managed switchs on each vlan; > > In one vlan ( 145 ) one computer was sending 11 000 pps of ARP > broadcast, and my ntop was telling me just 300 pps. That's my question: > why 300 pps? > My core router was 99% of CPU. > > Jeronimo > > Graeme Fowler escreveu: > > > On Mon, 2008-04-14 at 11:06 -0500, Gary Gatten wrote: > > > >> 11 or 100 pps is nothing - not even close to anything to worry about. A > 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control > features default to several thousand pps, so really - 11 or a 100 is a tiny > fraction of a percent or available bandwidth. > >> > > > > I think Jeronimo's email ost a bit in translation - it was 11kpps, > > phrased as "11.000 pps". Not every written language uses a comma as a > > decimal separator for positive powers of ten :) > > > > > >> Switching Loops don't cause broadcast storms. If there is a loop it > won't be found looking for excessive broadcasts. > >> > > > > Loops in ethernet networks cause all manner of lunacy, because they > > amplify anything that isn't unicast. After some time (depending on > > hardware), they amplify unicast too as the L2 devices involved age out > > or conflict out their MAC tables; once most switches see MAC addresses > > on several ports they can get a little confused! > > > > Jeronimo - you gave no indication of your network topology, and only a > > vague description of what happened so it's tricky to tell you why you > > didn't see the problem with ntop. > > > > Graeme > > > > _______________________________________________ > > Ntop mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
