«

Peter Grooby <> wrote in message news:<> ...
> > > I understand that these are broadcast packets. Does anyone know if I
> > > might be being charged for 'downloading' these packets? I would hope
> > > not, but it never hurts to ask.
> >
> > Out of interest are these Universal Plug and Play broadcasts?
> >
> I am using Ethereal to view the packets. How do I tell if they are
> Universal Plug and Play broadcasts?

UPnP traffic looks like SOAP traffic, so if you've got the etherreal
sniffs do a search to see what that looks like

They're probably not, but might be, especially if you've installed the
UPnP discovery feature in Windows XP

Peter Grooby wrote:

> Hi,
> I've recently got connected on my home machine with a Telstra/Saturn
> cable modem.
>
> I was wanting to check how much data I was downloading, so installed a
> traffic monitor. I noticed that, even when not doing anything I was
> downloading data at about 1K/second.
>
> I installed a packet sniffer and found that the traffic is made up of a
> large number of ARP who-has packets.
>
> I understand that these are broadcast packets. Does anyone know if I
> might be being charged for 'downloading' these packets? I would hope
> not, but it never hurts to ask.

The ARP traffic is normal for a cable connection. Your cable modem is a
transparent learning bridge (layer 2). The interface in your PC
connected to the cable modem communicates directly with a 'Universal
Broadband Router' (UBR) in T/Cs 'head end' at the MAC layer (layer 2).

You do not get charged for this traffic.

AD. wrote:

> Speaking of which, does that give you free networking between yourself and
> someone else on the same segment?

YES it does!!! I'm not sure if T/C want us to know that though

Nathan Mercer startled all and sundry by ejaculating the following words of
wisdom

> They're probably not, but might be, especially if you've installed the
> UPnP discovery feature in Windows XP

The reason I mentioned it is that I see a lot of traffic logged in my f/w
of other Telstra subscribers doing UPnP. It's enabled by default in WinXP
IIRC.

--
rob singers
pull finger to reply

"AD." <> wrote in message
news...
> On Tue, 04 May 2004 10:10:20 +1200, Gordon Smith wrote:
>
> I don't think it would be his network config, just the fact he's on a
> shared cable segment.
>
> We see a similar thing with Citylink/WIX, it's basically one big ethernet
> network, so you see a lot of ARP stuff floating around.
>
> I don't think Telstra would charge for it, it wouldn't go past the
> routers, and I presume the accounting is done on what goes through the
> routers?
>
> Speaking of which, does that give you free networking between yourself and
> someone else on the same segment?
>
> Cheers
> Anton


my mistake. I should have read the original post a bit better
didn't see the cable modem bit....

"Bok" <> wrote in message
news:eIIlc.1760$...
> AD. wrote:
>
> > Speaking of which, does that give you free networking between yourself
and
> > someone else on the same segment?
>
> YES it does!!! I'm not sure if T/C want us to know that though
>
>

And it's not accounted at layer 2 - netflow is layer 3 data.
This is one of the reasons providers are moving towards using PPPoE or
tunnels on shared segments. The main reason is for security - spoofing an
address on a shared segment is fairly trivial. That particular problem has
already caused issues for at least one provider that I know of.

In article <rGIlc.1759$>, lid
says...
> Peter Grooby wrote:

> > I installed a packet sniffer and found that the traffic is made up of a
> > large number of ARP who-has packets.
> >
> > I understand that these are broadcast packets. Does anyone know if I
> > might be being charged for 'downloading' these packets? I would hope
> > not, but it never hurts to ask.
>
> The ARP traffic is normal for a cable connection. Your cable modem is a
> transparent learning bridge (layer 2). The interface in your PC
> connected to the cable modem communicates directly with a 'Universal
> Broadband Router' (UBR) in T/Cs 'head end' at the MAC layer (layer 2).
>
> You do not get charged for this traffic.

Thanks for that.

Anyone know of a good traffic monitoring system, that can tell me how
much I have downloaded over a particular period, that has the ability to
filter out certain types of packets?

Pete

--
--
Remove pants from email address to reply.

Gordon Smith wrote:

>>>Speaking of which, does that give you free networking between yourself
> andsomeone else on the same segment?
>>
>>YES it does!!! I'm not sure if T/C want us to know that though
>
> And it's not accounted at layer 2 - netflow is layer 3 data.
> This is one of the reasons providers are moving towards using PPPoE or
> tunnels on shared segments. The main reason is for security - spoofing an
> address on a shared segment is fairly trivial.

While spoofing an address on certain implementations of a 'shared
segment' may be trivial; I don't think it's quite so trivial for the
type of connection under discussion.

In Christchurch T/C employ DOCCIS standard equipment (head ends and CMs)
and according to my cable modem config, Baseline Privacy has been
established. If this is working as advertised, layer 2 packets are
encrypted using DES encryption. A CM is required to authenticate with
its CMTS using a secure key exchange before it can come online and
established the keys used for encryption. Keys are supposedly changed
regularly.

"Bok" <> wrote in message
news:...
>
> While spoofing an address on certain implementations of a 'shared
> segment' may be trivial; I don't think it's quite so trivial for the
> type of connection under discussion.
>
> In Christchurch T/C employ DOCCIS standard equipment (head ends and CMs)
> and according to my cable modem config, Baseline Privacy has been
> established. If this is working as advertised, layer 2 packets are
> encrypted using DES encryption. A CM is required to authenticate with
> its CMTS using a secure key exchange before it can come online and
> established the keys used for encryption. Keys are supposedly changed
> regularly.
>

Agreed. DOCSIS can be quite an ordeal to implement (from the service
provider's point of view)

Had any probs with MTU size? In particular, sites that send packets with the
DF bit set and block all ICMP traffic. Just curious.... What MTU do you end
up with in your setup? 1492?

Peter Grooby <> wrote in
news::

> Anyone know of a good traffic monitoring system, that can tell me how
> much I have downloaded over a particular period, that has the ability to
> filter out certain types of packets?
>

Try these two.
http://readerror.gmxhome.de/ - great for one PC

http://www.trafficstatistic.com/prod...101HFWIEN.html

Ciao, Dave