johncharnock
asked on
Network broadcasts and hundreds of ARP cache entries when viewing wityh arp-a
I noticed quite a bit of network traffic on my switches. I identified the network card that was sending out the broadcasts, it was on a new Windows 2000 with RIS & DHCP installed. It is also a DC. When I do a arp -a I can see hundreds of entries such as 10.0.0.2 0000000000000, where the 0000000000000 should be a MAC address its all zero's which make sense as I only have one PC attached to this server. It is as if it is running through all the possible combinations of the DHCP server and trying to resolve a MAC address.
If I re boot it calms down but start after about ten minutes
Any ideas
If I re boot it calms down but start after about ten minutes
Any ideas
What happens if you disable DHCP? I would not be surprised that a faulty/inconfigured DHCP server would cause a lot of traffic on a network with one PC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, it is not recommended to put RIS on a DC. Although it may not be your problem, I thought I might mention it.
Other than that, how is everyone doing today?
FE
Other than that, how is everyone doing today?
FE
>>Other than that, how is everyone doing today?
I found two orange lights on the server,
A workstations harddisk failed,
Internet site of our company wasn't available today,
E-mail wasn't working today,
Talking about a really bad day :-( Thank god eveything is working now....
I found two orange lights on the server,
A workstations harddisk failed,
Internet site of our company wasn't available today,
E-mail wasn't working today,
Talking about a really bad day :-( Thank god eveything is working now....
I started to read you comment and thought you were writing a poem. :)
Remember last Monday when you asked where I was all day? Yep, sometimes Wednesday feels like Monday!
FE
Remember last Monday when you asked where I was all day? Yep, sometimes Wednesday feels like Monday!
FE
>and thought you were writing a poem
I wish I was writing one, today was one of the worst days I've ever had at work. :-(
>Yep, sometimes Wednesday feels like Monday!
Lol!
I wish I was writing one, today was one of the worst days I've ever had at work. :-(
>Yep, sometimes Wednesday feels like Monday!
Lol!
ASKER
Its not a faulty card as this is a new intel server board with two NICs both have the same problem. It not a Virus as it is a new Install.
John
John
>Its not a faulty card as this is a new intel server board with two NICs both have the same problem.
And what tells you the motherboard isn't faulty? Please try to disable both nics and install another one.
>It not a Virus as it is a new Install.
Sorry to say this, but I get really terrified by these kind of comments. Please try scanning for virusses, you can never do this too many times. If it won't help, at least it can't hurt either.
And what tells you the motherboard isn't faulty? Please try to disable both nics and install another one.
>It not a Virus as it is a new Install.
Sorry to say this, but I get really terrified by these kind of comments. Please try scanning for virusses, you can never do this too many times. If it won't help, at least it can't hurt either.
Please try this:
taken from http://www.grc.com/dos/grcdos.htm
--------------------------
A Quick & Easy Check for IRC Zombie/Bots
If you have managed to read all the way through this lengthy and detailed adventure, I am sure you will agree that you do NOT want any of these nasty Zombies or their relatives running around loose inside your PC. Fortunately, it's quite easy to verify that your system is not currently infected by one of these IRC Zombie/Bots.
All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".
Consequently, an active connection to an IRC server can be detected with the following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem!
--------------------------
taken from http://www.grc.com/dos/grcdos.htm
--------------------------
A Quick & Easy Check for IRC Zombie/Bots
If you have managed to read all the way through this lengthy and detailed adventure, I am sure you will agree that you do NOT want any of these nasty Zombies or their relatives running around loose inside your PC. Fortunately, it's quite easy to verify that your system is not currently infected by one of these IRC Zombie/Bots.
All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".
Consequently, an active connection to an IRC server can be detected with the following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem!
--------------------------
ASKER
LucF
You were right it was a virus, I had connected to the internet bofore applying SP 4 it was the nachi virus
Thanks
You were right it was a virus, I had connected to the internet bofore applying SP 4 it was the nachi virus
Thanks
Glad to see your problem is solved ;-)
Cool. Nasty things, those virii.
Morning, or afternoon to you LucF
Morning, or afternoon to you LucF