Here’s a sample of a tcpdump I take while we’re seeing “flooding” …
xx.255.238.122 > xx.142.18.133: icmp: time exceeded in-transit for xx.142.18.133.2857 > xx.211.55.94.6349: [|tcp] (DF) (ttl 2, id 37407, len 40, bad cksum 396c!) (ttl 253, id 61442, len 56)
It seems our client xx.142.18.133 is communicating with xx.211.55.94, but what is xx.255.238.122 doing/meaning there ??
(It’s an IP of another client on our system)
Any ideas?
that would be plain ol’ traceroute.
But there’s 3 IP’s that show up in that same tcpdump line …
2 are our clients and third one is outside network ?!
The 2 clients are both on the same layer 2 network,
and not routing through each other …
The TTL is 2 so that the second hop out replied that it expired?
Sam
Hmm, yes it’s quite strange.
When I do tcpdump I see that same line about 100 times a second …
Looks like a flood ?
xx.255.238.122 and xx.142.18.133 are client IPs,
and they’re both on a layer 2 network with gateways 238.1 and 18.1
(238.1 and 18.1 being the same ethernet interface)
Why would one route through the other ?
Something weird is going on here, or am I missing something ?
Thanks!
ah, i see, the one routes through the other?
check their configurations, could be that one is misconfigured but it could also imply that the “middle” ip is responding to arp requests about gateway ip.
that is a unfortunate situation, perhaps it’s configured to do proxy-arp?