"tcpdump" command:
I happened to run the "tcpdump" CLI command on an OS X 10.2.4 box today. The computer I ran the command on is a simple test intranet web server. It's not in production yet. I was curious about "tcpdump" (never used it), and I wanted to monitor it's connection for the heck of it. "hands-on-training"...
I soon realized that I was seeing all kinds of network "chatter" and transactions, not just connections specific to the local Mac itself. Losts of requests like "who has" and "tell" were flying by on my terminal window. I also saw lots of what appeared to be hex values and arpa DNS info, NETBIOS stuff and some "ipx-sap-req" stuff as well. I could see both TCP and UDP stuff.
Is this activity normal?
I assume I am "seing" packets hittting my local ports that are not being routed properly, correct?
Why am I seeing these packets blasting all over the place?
Shouldn't I see *only* packets originating/destined for the local box?
Do I have faulty switches?
Is my network inefficient?
A little more about my network: I have about 50 users, mostly Mac OS 9 clients. I have a couple Asante NetStacker II Switches, and a couple Linksys EtherFast II Switches. I have a Cisco 515 PIX router. I don't have ANY "dumb" (unswitched) hubs. My building is wired with cat5e cable. All my clients use DHCP. Only about 10 computers have "hard-coded" IPs (servers, etc). Other than printers, I dont have much legacy Appletalk devices anymore. I have in internal DNS server (NT box running Cisco's Network Registrar 5.5.2). I have a DHCP server (NT), an NT 4 Exchange 5.5 server, two OS X 10.2.3 servers running AFP and SMB services, two OS X Apache servers, an old Novell 4.11 file server.
I soon realized that I was seeing all kinds of network "chatter" and transactions, not just connections specific to the local Mac itself. Losts of requests like "who has" and "tell" were flying by on my terminal window. I also saw lots of what appeared to be hex values and arpa DNS info, NETBIOS stuff and some "ipx-sap-req" stuff as well. I could see both TCP and UDP stuff.
Is this activity normal?
I assume I am "seing" packets hittting my local ports that are not being routed properly, correct?
Why am I seeing these packets blasting all over the place?
Shouldn't I see *only* packets originating/destined for the local box?
Do I have faulty switches?
Is my network inefficient?
A little more about my network: I have about 50 users, mostly Mac OS 9 clients. I have a couple Asante NetStacker II Switches, and a couple Linksys EtherFast II Switches. I have a Cisco 515 PIX router. I don't have ANY "dumb" (unswitched) hubs. My building is wired with cat5e cable. All my clients use DHCP. Only about 10 computers have "hard-coded" IPs (servers, etc). Other than printers, I dont have much legacy Appletalk devices anymore. I have in internal DNS server (NT box running Cisco's Network Registrar 5.5.2). I have a DHCP server (NT), an NT 4 Exchange 5.5 server, two OS X 10.2.3 servers running AFP and SMB services, two OS X Apache servers, an old Novell 4.11 file server.
Comments
[ 02-26-2003: Message edited by: RodUK ]</p>
<strong>No, you did by telling me you don't have ANY unswitched hubs
Funny you should ask...
As another test, I built a quick (isolated) 4 Mac network, this time with a simple el-cheapo dumb (not switched) hub. I turned on all 3 Macs and I started various internet/network-related tasks (one Mac browsed the Web, one Mac was FTPing files, the other was sending e-mail). On another Mac, I ran the tcpdump command and watched the output for a long while...
I saw ALL KINDS of stuff whizzing by! Not just broadcast stuff, or stuff intended for that particular Mac. In fact, after I studied it a while, I could monitor what any given Mac was doing from any other Mac's terminal using the tcpdump command!
I assume this is because I connected them all on a *dumb* hub, and thus packets were being blasted all over the place? Can someone please tell me if my guess is right?
Yes, Rod, my "real" network at work has NO dumb hubs in production. They are all switched. I doubled-checked.
[ 02-26-2003: Message edited by: dstranathan ]</p>
<strong>I soon realized that I was seeing all kinds of network "chatter" and transactions, not just connections specific to the local Mac itself. Losts of requests like "who has" and "tell" were flying by on my terminal window. I also saw lots of what appeared to be hex values and arpa DNS info, NETBIOS stuff and some "ipx-sap-req" stuff as well. I could see both TCP and UDP stuff.</strong><hr></blockquote>
Sounds pretty normal. There's plenty of broadcast traffic on most networks.
<strong>I assume this is because I connected them all on a *dumb* hub, and thus packets were being blasted all over the place? Can someone please tell me if my guess is right?</strong><hr></blockquote>
You are right. On a hub, every computer sees every packet.
<strong>Losts of requests like "who has" and "tell" were flying by on my terminal window
.....
Is this activity normal?
</strong><hr></blockquote>
Just want to point out that this is not a hub/switch issue (while all the other things you mentioned certainly are). What you are seeing here are ARP broadcast packets sent by your provider's router. The router wants to know what device (MAC address) is associated with a particular IP address, so he knows where to send packets addressed to that IP. This works both ways, type "arp -a" to see your ARP table (usually the router and some local computers). Since those are broadcasts, you will also see them in a switched environment.
<strong>
What you are seeing here are ARP broadcast packets sent by your provider's router. The router wants to know what device (MAC address) is associated with a particular IP address, so he knows where to send packets addressed to that IP. This works both ways, type "arp -a" to see your ARP table (usually the router and some local computers). Since those are broadcasts, you will also see them in a switched environment.</strong><hr></blockquote>
I thought this, but having resolved IP and ethernet addresses with initial 'tell me the ethernet address for IP address 1.2.3.4' broadcasts, aren't they held in an ARP table and subsequently looked up? Having said that, I believe the ARP table is sometimes implemented like a cache, so only the most recent entries are held, and I guess an ARP table isn't maintained by every machine. Also, I believe you can tell ARP broadcast messages from the recipients address in the header (all Fs?).
[ 02-27-2003: Message edited by: RodUK ]</p>