On Wed, 24 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in article <1193265460.173380.238880@v29g2000prd.googlegroups.com>, Philippe Signoret wrote: NOTE: Posting from groups.google.com (or some web-forums) dramatically reduces the chance of your post being seen. Find a real news server. >I ran Ethereal and captures all packets for 1 minute and 49 seconds. What network? What is on this network? >TCP 353 70.2% >UDP 15 3.0% >ICMP 13 2.6% >ARP 122 24.3% Fairly quiet - but without knowing _what_ you are looking at, it is difficult to say if this is normal or not. For example, if you are looking at a DSL connection, you are not likely to see any mono-cast traffic (traffic to/from a single IP address) that is not directed at your host. But you will _PROBABLY_ see all _broadcast_ traffic, where the router/switch does not know if "you" are the destination or not. >Is this a normal ARP packet percentage? It seems a bit high to me. Not enough information. The other question is what operating system are the hosts running? That may also have impact on the traffic. Old guy

On Thu, 25 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in article <4720f999$0$22312$ba620e4c@news.skynet.be>, goarilla wrote: >Moe Trin wrote: >> Fairly quiet - but without knowing _what_ you are looking at, it is >> difficult to say if this is normal or not. For example, if you >> are looking at a DSL connection, you are not likely to see any >> mono-cast traffic (traffic to/from a single IP address) that is not >> directed at your host. But you will _PROBABLY_ see all _broadcast_ >> traffic, where the router/switch does not know if "you" are the >> destination or not. >little question don't routers split up broadcast domains ? Classic routers - your big boxes from Cisco, Foundry, and others, that follow RFC1812 do not forward broadcasts - because the network address ranges are different on the various interfaces. See sections 5.3.4. and 5.3.5 et.seq. for details. 1812 Requirements for IP Version 4 Routers. F. Baker, Ed.. June 1995. (Format: TXT=415740 bytes) (Obsoletes RFC1716, RFC1009) (Updated by RFC2644) (Status: PROPOSED STANDARD) The "routers" normally found in the home behave differently, because they are not routers in the classic sense. In many cases, they are doing port/IP translating, such that you have a non-routable (RFC1918) address on your side, and can have multiple systems that appear on the Internet as one. In other cases, they are behaving more like Ethernet switches, separating traffic (collision domains) between the ISP side and your system[s]. On Monday, you asked this question in the thread "Do MAC addresses go to internet?", and in my response (Message-Id: <slrnfhpug6.uho.ibuprofin@compton.phx.az.us>) I suggested trying to use a packet sniffer to see what's on your wires. Did this not work? >and thus broadcasts from the WAN side shouldn't be forwarded to the LAN >or does that in general only occurs in the reverse (eg from LAN -> WAN) ? The only time a "router" should forward broadcasts (other than DHCP requests when the router is configured as a DHCP Relay Agent - see RFC1542 et.seq.) is when it is not acting as a classic router per RFC1812. ARP packets are not forwarded by such routers, because the Ethernet concept doesn't need the "end" MAC address, but it DOES need the MAC address of the "next hop". As far as ARP is concerned, the only time an ARP request is forwarded is in Proxy-ARP where the "router" is attempting to make it appear that a system on a separate interface but using the same IP range is on the local network wire. See the "Proxy-ARP-Subnet" mini-howto -rw-rw-r-- 1 gferg ldp 19372 Aug 28 2000 Proxy-ARP-Subnet for additional details. Old guy

On Fri, 26 Oct 2007, in the Usenet newsgroup comp.os.linux.networking, in article <4721c67f$0$29248$ba620e4c@news.skynet.be>, goarilla wrote: >Moe Trin wrote: >> The "routers" normally found in the home behave differently, because >> they are not routers in the classic sense. In many cases, they are >> doing port/IP translating, such that you have a non-routable (RFC1918) >> address on your side, and can have multiple systems that appear on >> the Internet as one. In other cases, they are behaving more like >> Ethernet switches, separating traffic (collision domains) between the >> ISP side and your system[s]. On Monday, you asked this question in >> the thread "Do MAC addresses go to internet?", and in my response >> (Message-Id: <slrnfhpug6.uho.ibuprofin@compton.phx.az.us>) I suggested >> trying to use a packet sniffer to see what's on your wires. Did this >> not work? > >i did not found any MAC adresses belonging to machines other than the >ones that should be on the LAN so i guess i'm safe. From that particular problem - yes. I have three connections in my house, and all have "routers" with the manufacturers labels covered by a label from the telephone company - they sorta look like Speedstream Bridge/Modems from 'Efficient Networks', but I can't be sure. I most definitely see MAC addresses from other hardware. >but seriously i shouldn't have to take into account that some routers >DON'T act like routers. Routers should be routers and conform to every >letter in the rfc's Tell that to the marketing departments - both of the manufacturers such as Alcatel, Efficient Networks, Westell (and others), and to the ISP. Remember, we don't want to confuse the customers with big words such as 'bridge' and 'switch' which have meanings normally associated with them from completely different venues. >> ARP packets are not forwarded by such routers, because the Ethernet >> concept doesn't need the "end" MAC address, but it DOES need the MAC >> address of the "next hop". As far as ARP is concerned, the only >> time an ARP request is forwarded is in Proxy-ARP where the "router" >> is attempting to make it appear that a system on a separate interface >> but using the same IP range is on the local network wire. >i've seen this behaviour (eg MAC next hop) in packets but i've never had >somebody explain the reason for this so short and beautifully thanks :D People tend to forget that Ethernet links can carry a large number of protocols besides IP, or even that there are different types of Ethernet frames to begin with. _ALL_ packets on Ethernet links are using MAC addresses for source and destination. Look at the two octet 'Type' field (counting from zero, octets 12 and 13 in RFC0894 frames, 20 and 21 in RFC1042 frames). While this allows for 65536 types, only roughly 180 are defined (http://www.iana.org/assignments/ethernet-numbers). This basically rules out moving packets over Ethernet by any other means. The protocol at this level is only concerned with moving packets between "directly" connected (I quote the word because the media between the hosts is not important - this could be wire, fiber, wireless of some form, or wet string) hosts. Hosts not "directly" connected are handled by higher levels in the networking stack, no matter if they packet contains an IP datagram, some form of Appletalk, Novell IPX, or some ancient thing like Banyan Vines, or Xerox XNS (all of which are routable, given appropriately configured routers). Old guy

Philippe Signoret <philippe.signoret@gmail.com> wrote: > I ran Ethereal and captures all packets for 1 minute and 49 seconds. > These are the results I got: > ------------------- > Total 503 > TCP 353 70.2% > UDP 15 3.0% > ICMP 13 2.6% > ARP 122 24.3% > Running time: 00:01:49 > -------------------- > Is this a normal ARP packet percentage? It seems a bit high to me. I don't know about the percentages, but will point-out that ARP requests, since they are sent as broadcast frames, will be seen by all stations in the broadcast domain. TCP, UDP and most ICMP will be point-to-point, so unless you are sniffing on the equivalent of a hub rather than a switch you may not be getting the full story about what is on your network overall. rick jones -- The glass is neither half-empty nor half-full. The glass has a leak. The real question is "Can it be patched?" these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

In article <1194489659.099456.200960@57g2000hsv.googlegroups.com>, Steven Borrelli <sborrelli8@gmail.com> wrote: >On Oct 24, 4:37 pm, Philippe Signoret <philippe.signo...@gmail.com> >wrote: >> I ran Ethereal and captures all packets for 1 minute and 49 seconds. >> These are the results I got: >> >> ------------------- >> Total 503 >> >> TCP 353 70.2% >> UDP 15 3.0% >> ICMP 13 2.6% >> ARP 122 24.3% >> >> Running time: 00:01:49 >> -------------------- >> >> Is this a normal ARP packet percentage? It seems a bit high to me. >> >> Thanks, >> Philippe Signoret West > >It seems somewhat reasonable, because all of your TCP activity should >require a substantial amount of address resolution Seems way too high. -- The most powerful Usenet tool you have ever heard of. NewsMaestro v. 4.0.8 has been released. * Several nice improvements and bug fixes. Note: In some previous releases some class files were missing. As a result, the program would not run. Sorry for the inconvenience. Web page: http://newsmaestro.sourceforge.net/ Download page: http://newsmaestro.sourceforge.net/Download_Information.htm Send any feedback, ideas, suggestions, test results to newsmaestroinfo \at/ mail.ru. Your personal info will not be released and your privacy will be honored.