[OT] Traffic from ff:ff:ff:ff:ff:ff in switched environment
Eduardo Fernández
eduardo at cmusanjuan.com
Tue Nov 16 23:37:21 CET 2004
El mar, 16-11-2004 a las 17:02 -0500, Jason Opperisano escribió:
> it's more likely that ff:ff:ff:ff:ff:ff is the destination mac, not the
> source...
Nope, I was quite surprised too, but that's the src mac.
> arp "who-has" packets are vital to the proper functioning of a local
> area network--it's how each host finds the MAC address associated with
> each IP on the network.
I've seen some viruses lately trying to forge their ip/mask, maybe this
is the cause, since I've never since traffic FROM that mac.
> the volume of traffic you're seeing is a symptom of the fact that you
> have a /16 configured as a flat, switched network.
>
> the guy that i learned TCP/IP networking from once told me a good
> guideline is to never have more than 1024 hosts in a single layer-2
> broadcast domain, as the broadcast traffic becomes unmanageable. he
> knew a whole lot more than i ever will--so i try to stick to that when i
> (re)design a network.
Mmm, it's a /16 but I don't have more than about 500 computers. Maybe I
should resize the network to a /22 or so.
Thank you very much,
Eduardo
More information about the netfilter
mailing list