Need advice from ip/routing expert

Adey2002

Hi,

I have a problem with my internet connection at the moment which I think is related to ip/routing. It's causing my connection to run like a dog, lost packets, high latency and slow down/upload.

I have a static ip and according to my isp, I'm maxing out my connection 24/7 and have been for some time, even when I have nothing but the modem powered on.

So, I ran a packet sniffer and it seems that a German isp with a similar ip range as my isp (as in the first xxx.xxx is the same) is sending me a constant stream of traffic. the resolved source addresses all begin "xdsl-xxx-xxx" or "dial-xxx-xxx" and the destination addresses all have the same xxx.xxx.

My isp is looking into it but my uneducated guess is this German isp has incorrectly configured a router or something similar and is mis-routing traffic to me.

If anyone with any knowledge would like to hazard a guess at the problem, or wants to have a look at the sniffer results please let me know.

Any help appreciated.

Thanks
Adey.

MiCr0

can you run a network capture and we can see whats causing the problem?
it could be an invected pc @ the far end spamming the xxx.xxx.yyy.yyy subnet

Adey2002

MiCr0 wrote:

can you run a network capture and we can see whats causing the problem?
it could be an invected pc @ the far end spamming the xxx.xxx.yyy.yyy subnet

I'n not sure what you mean by network capture, could you explain how I do that?

Also I have pm's you a link to the sniffer results.

Thanks
Adey

Kali

Try Ethereal, that'll show you the contents of the packets you're receiving.

Adey2002

Kali wrote:

Try Ethereal, that'll show you the contents of the packets you're receiving.

Thanks Kali, MiCr0 has already suggested Ethereal. I did try to download it last night but the connection is so bad at the moment, I had to give up. I'll try and get it again tonight..

azzeretti

Adey2002 wrote:

So, I ran a packet sniffer and it seems that a German isp with a similar ip range as my isp (as in the first xxx.xxx is the same) is sending me a constant stream of traffic.

Any idea what type of traffic? This sounds a little strange alright. If you could post the sniffer log, that might help

Adey2002

I managed to get ethereal downloaded and installed last night. Results are here.. www.aspbits.com/ethereal.zip.

If some one could have a look and let me know what they think it is I would appreciate it.

Thanks.

liamo

Hi Adey,

Most of the packets in the capture (75%) were ARP packets.

The destination address of most of the remaining traffic was 213.168.233.83 - which, I assume, is yours? There are loads of SYN packets from various addresses to port 4662 at this IP address and quite a few UDP packets to port 4672. These packets are getting dropped which is the correct behaviour (assuming you don't want them, that is).

TCP 4662 and UDP 4672 are used by the eDonkey Peer-to-peer file sharing system. Is this ringing any bells? If not, were you only recently assigned this static IP address? If it's a new address, you may have inherited an IP address that was part of that file sharing network.

If I got your IP address wrong - oops! Let me know the correct one.

Regards,

Liam

Snaga

It looks like your ISP's network is putting all (or lots) of their customers on the same LAN. Not only that, it looks like its one big collision domain - thats your neighbours edonkey traffic your being blasted with.

Would you mind pm-ing me your ip address so I can filter it out of the capture?

Adey2002

Snaga wrote:

It looks like your ISP's network is putting all (or lots) of their customers on the same LAN. Not only that, it looks like its one big collision domain - thats your neighbours edonkey traffic your being blasted with.

Would you mind pm-ing me your ip address so I can filter it out of the capture?

pm'd, thanks