[lug] Can a Hub go bad?

John Hernandez John.Hernandez at noaa.gov
Fri Jul 27 12:44:54 MDT 2001 

Tim, this could be many things.  A broadcast storm of some type, or even a DOS attack.  Tcpdump should be able to decode all the Ethernet frames on the wire for you.  The name is misleading, since it's really a rudimentary (and very useful) sniffer that puts your interface in promiscuous mode and reports to you what's on the wire (not just TCP traffic).  You can try 'ip proto udp', or 'ether broadcast'.  Ethereal is a more user-friendly sniffer.  You should be able to determine the source and type of the offending packets using these tools.  I've seen hubs and switches go haywire before, generating lots of noise on the wire.

I'd be curious to hear what you find.

-John

Tim Klein wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello All,
> 
> Of course a hub could go bad, but could it cause this problem?:
> 
> I have a DSL connection from a Cisco 675, and two machines with
> static IPs, connected to a 10/100 3Com hub.  The Cisco is in
> bridging mode, giving the 2 machines access to the Internet.
> These machines run Debian Sid.
> 
> About 2 days ago, I noticed the activity and collision lights on
> the hub start to go nuts, as in, they were blinking several
> times a second, non stop.  After trying to track down what was
> causing this (shutting machines off, power cycling the modem,
> etc) I was not able to stop this activity, or even track it.
> After about a day, Internet performance degraded to the point
> where it was considerably worse than a dial up modem.
> 
> So today, I started to attack the problem seriously.  I found
> that the packets seem to be UDP.  This is a guess, as I run
> SNORT.  It sends me a daily report, usually my network is about
> 95% tcp.  But the last report was 85% udp!  This was a giant
> change.  Which would also explain why my tcpdump investigating
> turned up nothing.  What's a similar tool to track udp?
> 
> The reason I am suspecting the hub is this:  with both machines
> off, and only the Cisco powered up, I still have plenty of
> activity lights blinking, on the Cisco and the hub.  Today, I
> unplugged the hub, found my cross over cable, and plugged the
> Cisco directly into one of my machines.  All abnormal activity
> has disappeared.  Internet performance is back up to par.
> 
> What the heck could be causing this?  I can't imagine that it
> really is the hub, but I can't find anything on either of my
> machines spewing packets.
> 
> TIA,
> 
> Tim
> - --
> ==============================================
> == Timothy Klein || teece at silverklein.net   ==
> == ---------------------------------------- ==
> == "Hello, World" 17 Errors, 31 Warnings... ==
> ==============================================
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE7YbCKnjAB6bVab/sRAkbBAJwM+vqbGMYuMf7yOwvCGlkZ6WHMngCeNkLg
> Au320Z6lJYgvqgnwGgInuCE=
> =opsT
> -----END PGP SIGNATURE-----
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 

  - John Hernandez - Network Engineer - 303-497-6392 -
 |  National Oceanic and Atmospheric Administration   |
 |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
  ----------------------------------------------------

More information about the LUG mailing list