Craig thanks for the info but my system is not routed but in fact just bridged at this time. I have all my radios on 10.x.x.x subnet 255.255.255.0 and my clients on a class c subnet 255.255.255.000 so I would think I would get all the traffic back at my noc?
The switch is a basic 1 port auto negotiating non managable D-link if I remember not looking at it since I am at work right now. (night job)I want to get a cisco one in there so I am able to manage it better so I paln on hitting E-bay when I get some extra money to spend on it.. I will try putting in a switch tomorrow at the noc to see if I can scan some more to see more in detail possibly more trafic and the true source of the ARP requests. Quoting [EMAIL PROTECTED]: > Sounds to me like your switch isn't switching. The only traffic that a > machine plugged into a switch should see is its own traffic and broadcast or > > multicast traffic. Everything else should be invisible to it, unless you've > > configured the port you're plugged into as a management port. Otherwise, if > > you can packet-sniff *all* the traffic going through that switch then, > well... > it's not a switch. > > Anyway, that's sort of beside the point. One thing to keep in mind is that > if > you're packet sniffing at your hub/switch, you may not be seeing everything > > that's going on on your wireless network. For example, what if there > actually > are Welchia/Blaster-type worms on your wireless network, but all their ICMP > > traffic is being directed back out onto your network, instead of through your > > backhaul. For example, here's what Symantec says about Welchia's scanning > behavior: > > > Selects the victim IP address in two different ways: The worm uses either > > A.B.0.0 from the infected machine's IP of A.B.C.D and counts up, or it > will > > construct a random IP address based on some hard-coded addresses. > > > After selecting the start address, the worm counts up through a range of > > Class B-sized networks; for example, if the worm starts at A.B.0.0, it > will > > count up to at least A.B.255.255. > > Let's say that you set up your wireless network as a class B, such as > 10.1.0.0/16. Now what if one of your customers at say, 10.1.1.30 got > infected > with Welchia. The worm would probably start sending out ICMP echo requests > to > everything between 10.1.0.0 and 10.1.255.255. If you've got your AP > configured with a /16 netmask, all that ICMP traffic is going to stay local > to > that AP. None of it will ever come down your backhaul. So, if you're packet > > sniffing at the switch on the other side of the backhaul, you won't see > anything. > > The above example is assuming that the network design is routed, and not > bridged, and it may not even apply to your situation. The point I'm trying > > make though, is that to really know for sure what's happening on a particular > > network segment, you need to put your packet sniffer on the same segment. > Placing it down the line somewhere may not give you the full picture. > > Craig > > > Quoting Martin Moreno <[EMAIL PROTECTED]>: > > > T-1 >>switch> backhaul >tower both APS to south and north clients > > Switch also has connections going to it from my servers as well as my > home > > PC.. > > > > > > > > > > Quoting Mark Radabaugh <[EMAIL PROTECTED]>: > > > > > > > > > > > > > > > I have everything on a switch no hub and it sees everything fine from > > the > > > > clients up to my servers sending and receiving info.. > > > > > > > > > > Then you paid way too much for that switch :-) > > > > > > (or I just don't understand how you have things connected...) > > > > > > Mark > > > > > > > > > ----------ANNOUNCEMENT---------- > > > Don't forget to register for WISPCON IV > > > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > > > > > The PART-15.ORG smartBridges Discussion List > > > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > > smartBridges > > > <yournickname> > > > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > > > smartBridges) > > > Archives: http://archives.part-15.org > > > > > > > > > Martin Moreno > > Blazen Wireless > > 909-907-4106 > > www.blazenwireless.com > > ----------ANNOUNCEMENT---------- > > Don't forget to register for WISPCON IV > > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > > > The PART-15.ORG smartBridges Discussion List > > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe > smartBridges > > <yournickname> > > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > > smartBridges) > > Archives: http://archives.part-15.org > > > > > > > ----------ANNOUNCEMENT---------- > Don't forget to register for WISPCON IV > http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm > > The PART-15.ORG smartBridges Discussion List > To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges > <yournickname> > To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe > smartBridges) > Archives: http://archives.part-15.org > Martin Moreno Blazen Wireless 909-907-4106 www.blazenwireless.com ----------ANNOUNCEMENT---------- Don't forget to register for WISPCON IV http://www.wispcon.info/us/wispcon-iv/wispcon-iv.htm The PART-15.ORG smartBridges Discussion List To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname> To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges) Archives: http://archives.part-15.org
