On Thursday 12 December 2002 19:50, Robert Foxworth wrote:
> I just ran a 2-hour-plus pkt capture on my public interface, catching
> everything except ARP (ARP is 80 to 90% of all ethernet traffic
> on my rr connection). There was a single attempt at port 137
> during this time, from 67.89.57.118. Normally I see 15 to 20
> different unID IPs in a day, well over half are trying 137. However it
> is just because these fellows think RR will be all Windows
> machines on THIS end, and are easy pickings. It is not a RR-centric
> issue; one never (or, should never) see any IP traffic to/from anyone
> else on his local HFC. I never do, just see unACK ARPs from the local
> gateways to various machines. BTW There are 6 subnets of /24 on my
> branch. Not too bad; last year there 13.
I've been running arpwatch in parallel with the DHCP packet capture on my
DOCSIS segment (T17a-MLKJrBlvd-Tampa-66) for the past 6 months.
An interesting factoid: there are precisely six (6) unique MAC addresses that
I've been able to capture on my segment.
> Bottom line: I do not see any evidence of the 137 udp storm
> referred to by the original poster. What type address are you on, Jeff?
On my old legacy motorola TW segment, I did seem to get quite a lot of
broadcast Microsoft traffic.
Do you have a legacy Motorola cablemodem? Or a "newer" DOCSIS cablemodem like
the Ericson?
- Ian
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:13:45 EDT