Charged for ARP packets?

Discussion in 'NZ Computing' started by Peter Grooby, May 3, 2004.

  1. Peter Grooby

    Peter Grooby Guest

    Hi,
    I've recently got connected on my home machine with a Telstra/Saturn
    cable modem.

    I was wanting to check how much data I was downloading, so installed a
    traffic monitor. I noticed that, even when not doing anything I was
    downloading data at about 1K/second.

    I installed a packet sniffer and found that the traffic is made up of a
    large number of ARP who-has packets.

    I understand that these are broadcast packets. Does anyone know if I
    might be being charged for 'downloading' these packets? I would hope
    not, but it never hurts to ask.

    I'll ask tech support as Telstra Saturn, but I may not get a reply, so I
    thought I'd ask here too.

    Thanks
    Pete
    --
    --
    Remove pants from email address to reply.
    Peter Grooby, May 3, 2004
    #1
    1. Advertising

  2. Peter Grooby

    Gordon Smith Guest

    "Peter Grooby" <> wrote in message
    news:...
    > Hi,
    > I've recently got connected on my home machine with a Telstra/Saturn
    > cable modem.
    >
    > I was wanting to check how much data I was downloading, so installed a
    > traffic monitor. I noticed that, even when not doing anything I was
    > downloading data at about 1K/second.
    >
    > I installed a packet sniffer and found that the traffic is made up of a
    > large number of ARP who-has packets.
    >
    > I understand that these are broadcast packets. Does anyone know if I
    > might be being charged for 'downloading' these packets? I would hope
    > not, but it never hurts to ask.
    >
    > I'll ask tech support as Telstra Saturn, but I may not get a reply, so I
    > thought I'd ask here too.
    >
    > Thanks
    > Pete



    Depends on where they put their accounting collection points... probably
    not.
    1k of nothing but ARPs sounds rather high - you should have a look at your
    network configuration.
    Gordon Smith, May 3, 2004
    #2
    1. Advertising

  3. Peter Grooby

    Peter Grooby Guest


    >
    > Depends on where they put their accounting collection points... probably
    > not.
    > 1k of nothing but ARPs sounds rather high - you should have a look at your
    > network configuration.


    It doesn't appear to be anything else. What network configeration
    options should I be looking at?

    Pete


    --
    --
    Remove pants from email address to reply.
    Peter Grooby, May 3, 2004
    #3
  4. Out from under a rock popped Peter Grooby and said

    > Hi,
    > I've recently got connected on my home machine with a Telstra/Saturn
    > cable modem.
    >
    > I was wanting to check how much data I was downloading, so installed a
    > traffic monitor. I noticed that, even when not doing anything I was
    > downloading data at about 1K/second.
    >
    > I installed a packet sniffer and found that the traffic is made up of
    > a large number of ARP who-has packets.
    >
    > I understand that these are broadcast packets. Does anyone know if I
    > might be being charged for 'downloading' these packets? I would hope
    > not, but it never hurts to ask.


    Out of interest are these Universal Plug and Play broadcasts?

    > I'll ask tech support as Telstra Saturn, but I may not get a reply, so
    > I thought I'd ask here too.


    I've found Telstra support very good. It might take a while but you
    should get a reply. Please post it here when you do.

    --
    rob singers
    pull finger to reply
    Credo Elvem ipsum etiam vivere
    Robert Singers, May 3, 2004
    #4
  5. Peter Grooby

    Peter Grooby Guest

    In article <Xns94DF6BCB3AB25rsingers@IP-Hidden>,
    says...
    > > I understand that these are broadcast packets. Does anyone know if I
    > > might be being charged for 'downloading' these packets? I would hope
    > > not, but it never hurts to ask.

    >
    > Out of interest are these Universal Plug and Play broadcasts?
    >

    I am using Ethereal to view the packets. How do I tell if they are
    Universal Plug and Play broadcasts?

    Pete

    --
    --
    Remove pants from email address to reply.
    Peter Grooby, May 3, 2004
    #5
  6. Peter Grooby

    Gordon Smith Guest

    "Peter Grooby" <> wrote in message
    news:...
    >
    >
    > It doesn't appear to be anything else. What network configeration
    > options should I be looking at?
    >
    > Pete
    >



    Well, you'll have a default route pointing towards your provider. The router
    at your end should be replying with the same MAC for every arp request. You
    can see what's being requested in ethereal, and then start working back from
    there. How you handle arp caching depends on the router you're using
    Gordon Smith, May 4, 2004
    #6
  7. Out from under a rock popped Peter Grooby and said

    > I am using Ethereal to view the packets. How do I tell if they are
    > Universal Plug and Play broadcasts?


    IIRC UDP 5000

    --
    rob singers
    pull finger to reply
    Credo Elvem ipsum etiam vivere
    Robert Singers, May 4, 2004
    #7
  8. Peter Grooby

    AD. Guest

    On Tue, 04 May 2004 10:10:20 +1200, Gordon Smith wrote:

    > 1k of nothing but ARPs sounds rather high - you should have a look at your
    > network configuration.


    I don't think it would be his network config, just the fact he's on a
    shared cable segment.

    We see a similar thing with Citylink/WIX, it's basically one big ethernet
    network, so you see a lot of ARP stuff floating around.

    I don't think Telstra would charge for it, it wouldn't go past the
    routers, and I presume the accounting is done on what goes through the
    routers?

    Speaking of which, does that give you free networking between yourself and
    someone else on the same segment?

    Cheers
    Anton
    AD., May 4, 2004
    #8
  9. Peter Grooby

    Peter Grooby Guest

    In article <>,
    says...
    >


    > > It doesn't appear to be anything else. What network configeration
    > > options should I be looking at?
    > >
    > > Pete
    > >

    >
    >
    > Well, you'll have a default route pointing towards your provider. The router
    > at your end should be replying with the same MAC for every arp request. You
    > can see what's being requested in ethereal, and then start working back from
    > there. How you handle arp caching depends on the router you're using
    >

    I am a bit new to this side of things. But from what I can gather the
    ARP is trying to find out the MAC address that corresponds to a given IP
    address, so that subsequent messages can be sent directly to that MAC
    address.
    So if I send out an ARP, and get a response, I need to store that
    response for later use. I have no reason to presume that isn't working
    OK in my system so I'm not too worried about that side of it.

    The traffic I am concerned about is the 99.99% of the ARPs which are
    machines I know nothing about, requesting the MAC addresses of other
    machines that I know nothing about. But because they are broadcasts, are
    being downloaded (and presumably ignored) by my machine.

    I just mant to make sure that there isn't some screwy billing system
    that will end up charging me for them, as they add up to about 70
    megs/day.

    Pete

    --
    --
    Remove pants from email address to reply.
    Peter Grooby, May 4, 2004
    #9
  10. Peter Grooby

    Peter Grooby Guest

    In article <Xns94DF79A36882Frsingers@IP-Hidden>,
    says...
    > Out from under a rock popped Peter Grooby and said
    >
    > > I am using Ethereal to view the packets. How do I tell if they are
    > > Universal Plug and Play broadcasts?

    >
    > IIRC UDP 5000


    I'll have a look tonight.

    Pete

    --
    --
    Remove pants from email address to reply.
    Peter Grooby, May 4, 2004
    #10
  11. Peter Grooby <> wrote in message news:<>...
    > > > I understand that these are broadcast packets. Does anyone know if I
    > > > might be being charged for 'downloading' these packets? I would hope
    > > > not, but it never hurts to ask.

    > >
    > > Out of interest are these Universal Plug and Play broadcasts?
    > >

    > I am using Ethereal to view the packets. How do I tell if they are
    > Universal Plug and Play broadcasts?


    UPnP traffic looks like SOAP traffic, so if you've got the etherreal
    sniffs do a search to see what that looks like

    They're probably not, but might be, especially if you've installed the
    UPnP discovery feature in Windows XP
    Nathan Mercer, May 4, 2004
    #11
  12. Peter Grooby

    Bok Guest

    Peter Grooby wrote:

    > Hi,
    > I've recently got connected on my home machine with a Telstra/Saturn
    > cable modem.
    >
    > I was wanting to check how much data I was downloading, so installed a
    > traffic monitor. I noticed that, even when not doing anything I was
    > downloading data at about 1K/second.
    >
    > I installed a packet sniffer and found that the traffic is made up of a
    > large number of ARP who-has packets.
    >
    > I understand that these are broadcast packets. Does anyone know if I
    > might be being charged for 'downloading' these packets? I would hope
    > not, but it never hurts to ask.


    The ARP traffic is normal for a cable connection. Your cable modem is a
    transparent learning bridge (layer 2). The interface in your PC
    connected to the cable modem communicates directly with a 'Universal
    Broadband Router' (UBR) in T/Cs 'head end' at the MAC layer (layer 2).

    You do not get charged for this traffic.
    Bok, May 4, 2004
    #12
  13. Peter Grooby

    Bok Guest

    AD. wrote:

    > Speaking of which, does that give you free networking between yourself and
    > someone else on the same segment?


    YES it does!!! I'm not sure if T/C want us to know that though :)
    Bok, May 4, 2004
    #13
  14. Nathan Mercer startled all and sundry by ejaculating the following words of
    wisdom

    > They're probably not, but might be, especially if you've installed the
    > UPnP discovery feature in Windows XP


    The reason I mentioned it is that I see a lot of traffic logged in my f/w
    of other Telstra subscribers doing UPnP. It's enabled by default in WinXP
    IIRC.

    --
    rob singers
    pull finger to reply
    Robert Singers, May 4, 2004
    #14
  15. Peter Grooby

    Gordon Smith Guest

    "AD." <> wrote in message
    news:p...
    > On Tue, 04 May 2004 10:10:20 +1200, Gordon Smith wrote:
    >
    > I don't think it would be his network config, just the fact he's on a
    > shared cable segment.
    >
    > We see a similar thing with Citylink/WIX, it's basically one big ethernet
    > network, so you see a lot of ARP stuff floating around.
    >
    > I don't think Telstra would charge for it, it wouldn't go past the
    > routers, and I presume the accounting is done on what goes through the
    > routers?
    >
    > Speaking of which, does that give you free networking between yourself and
    > someone else on the same segment?
    >
    > Cheers
    > Anton



    my mistake. I should have read the original post a bit better :)
    didn't see the cable modem bit....
    Gordon Smith, May 4, 2004
    #15
  16. Peter Grooby

    Gordon Smith Guest

    "Bok" <> wrote in message
    news:eIIlc.1760$...
    > AD. wrote:
    >
    > > Speaking of which, does that give you free networking between yourself

    and
    > > someone else on the same segment?

    >
    > YES it does!!! I'm not sure if T/C want us to know that though :)
    >
    >


    And it's not accounted at layer 2 - netflow is layer 3 data.
    This is one of the reasons providers are moving towards using PPPoE or
    tunnels on shared segments. The main reason is for security - spoofing an
    address on a shared segment is fairly trivial. That particular problem has
    already caused issues for at least one provider that I know of.
    Gordon Smith, May 4, 2004
    #16
  17. Peter Grooby

    Peter Grooby Guest

    In article <rGIlc.1759$>, lid
    says...
    > Peter Grooby wrote:


    > > I installed a packet sniffer and found that the traffic is made up of a
    > > large number of ARP who-has packets.
    > >
    > > I understand that these are broadcast packets. Does anyone know if I
    > > might be being charged for 'downloading' these packets? I would hope
    > > not, but it never hurts to ask.

    >
    > The ARP traffic is normal for a cable connection. Your cable modem is a
    > transparent learning bridge (layer 2). The interface in your PC
    > connected to the cable modem communicates directly with a 'Universal
    > Broadband Router' (UBR) in T/Cs 'head end' at the MAC layer (layer 2).
    >
    > You do not get charged for this traffic.


    Thanks for that.

    Anyone know of a good traffic monitoring system, that can tell me how
    much I have downloaded over a particular period, that has the ability to
    filter out certain types of packets?

    Pete

    --
    --
    Remove pants from email address to reply.
    Peter Grooby, May 4, 2004
    #17
  18. Peter Grooby

    Bok Guest

    Gordon Smith wrote:

    >>>Speaking of which, does that give you free networking between yourself

    > andsomeone else on the same segment?
    >>
    >>YES it does!!! I'm not sure if T/C want us to know that though :)

    >
    > And it's not accounted at layer 2 - netflow is layer 3 data.
    > This is one of the reasons providers are moving towards using PPPoE or
    > tunnels on shared segments. The main reason is for security - spoofing an
    > address on a shared segment is fairly trivial.


    While spoofing an address on certain implementations of a 'shared
    segment' may be trivial; I don't think it's quite so trivial for the
    type of connection under discussion.

    In Christchurch T/C employ DOCCIS standard equipment (head ends and CMs)
    and according to my cable modem config, Baseline Privacy has been
    established. If this is working as advertised, layer 2 packets are
    encrypted using DES encryption. A CM is required to authenticate with
    its CMTS using a secure key exchange before it can come online and
    established the keys used for encryption. Keys are supposedly changed
    regularly.
    Bok, May 5, 2004
    #18
  19. Peter Grooby

    Gordon Smith Guest

    "Bok" <> wrote in message
    news:...
    >
    > While spoofing an address on certain implementations of a 'shared
    > segment' may be trivial; I don't think it's quite so trivial for the
    > type of connection under discussion.
    >
    > In Christchurch T/C employ DOCCIS standard equipment (head ends and CMs)
    > and according to my cable modem config, Baseline Privacy has been
    > established. If this is working as advertised, layer 2 packets are
    > encrypted using DES encryption. A CM is required to authenticate with
    > its CMTS using a secure key exchange before it can come online and
    > established the keys used for encryption. Keys are supposedly changed
    > regularly.
    >


    Agreed. DOCSIS can be quite an ordeal to implement (from the service
    provider's point of view)
    :)
    Had any probs with MTU size? In particular, sites that send packets with the
    DF bit set and block all ICMP traffic. Just curious.... What MTU do you end
    up with in your setup? 1492?
    Gordon Smith, May 6, 2004
    #19
  20. Peter Grooby

    Dave Taylor Guest

    Dave Taylor, May 6, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Folklore

    Maha 401 - Charging 'charged' batteries ?

    Folklore, Oct 23, 2003, in forum: Digital Photography
    Replies:
    4
    Views:
    1,227
    Folklore
    Oct 25, 2003
  2. Roy L. Fuchs
    Replies:
    0
    Views:
    386
    Roy L. Fuchs
    Jan 15, 2006
  3. Replies:
    7
    Views:
    757
    Barry Margolin
    Feb 26, 2008
  4. Giuen
    Replies:
    0
    Views:
    668
    Giuen
    Sep 12, 2008
  5. Darren Green

    Arp or Proxy Arp

    Darren Green, Feb 20, 2009, in forum: Cisco
    Replies:
    0
    Views:
    513
    Darren Green
    Feb 20, 2009
Loading...

Share This Page