Solved

URGENT Network Problem

Posted on 2009-03-30
13
255 Views
Last Modified: 2012-05-06
I am trying to isolate a server we have that is flooding the network with ARP requests? I am not sure why?  I can't seem to find a program that is doing this, I am using a packet sniffer and traced it to this specific pc and Used a program called Active Ports to try to see what executable is actually doing it but I can't find it?
Packets.bmp
0
Comment
Question by:mrsam3
  • 6
  • 4
  • 2
13 Comments
 
LVL 4

Expert Comment

by:anvanster
Comment Utility
What is this server purpose?
0
 
LVL 4

Expert Comment

by:anvanster
Comment Utility
Have you tried "netstat" ? What applications do you have there?
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
Netstat -n
or
Download this (http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx) and run it on the crazed computer.
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
0
 
LVL 2

Accepted Solution

by:
mrsam3 earned 0 total points
Comment Utility
I was able to resolve this, it was a Xerox network discovery application that was running as a service for some reason...
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
HOW did you resolve the issue?  You looked at your active services and it told you that your Xerox net discovery was sending ARP floods?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 2

Author Comment

by:mrsam3
Comment Utility
no I saw that it was using 20% cpu so i killed the exe and the arp requests stopped?
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
I see.  I am fine with you not giving us the points in this case.  However, I do find it amazing that you would have used a packet sniffer prior to checking active processes.  It is a bit easy to oversite though.  

New website title:  Xerox Exploit Brings Server to a Crawl

Good find, and thanks for reposting that info.  I think it will definately help others.  If I may ask one other thing-  How did you find out that this was going on?  Were you receiving notifications?
0
 
LVL 2

Author Comment

by:mrsam3
Comment Utility
Our users were complaining that the network was slow and the internet was slowing to a crawl (slower then dialup) so I thought we had a spammer or something...  so we put the sniffer in and noticed Ethernet broadcasts from the mac address of our server. So after a bunch of research I looked in the processes and saw the Xerox was taking 20% cpu some times and it said Xerox Discovery so I assumed it was that, once I killed it our arp requests needed...   But we had no idea where the flood was coming from previously because all our switches are unmanaged
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
Being NETSTAT more than likely was an acceptable answer, I propose the total points offered be split.
0
 
LVL 3

Expert Comment

by:stlbridge
Comment Utility
Being NETSTAT more than likely was an acceptable answer, I propose the total points offered be split.
0
 
LVL 2

Author Comment

by:mrsam3
Comment Utility
netstat did not show anyting i even used active ports, they were not established connections on the network.  they were broadcasts packets and not established tcp/ip connections.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now