I have a pretty technical question about a problem I'm experiencing with my cable connection which has me stumped. But before I go and type a very long story: are there any specialists here?
I'm by no means a specialist but I have been using mine for about a year and a half now.
I'll be glad to help if I can. Also, a friend of mine works for the cable company here in the internet department. I am sure he can help if I can't. If you want to, e-mail him and tell him that Dale said he might be able to help you... His name is James and his e-mail is frog@dahouse.net.
There is a guy online who was doing all sorts of tests on tweaking cable modem performance but I can't find his site right now. If I can find it I will send it to you, Cliff.
I have a couple of little programs for tweaking cable modems and also one for uncapping upstream. Unfortunately, my CyberSurfr modem will not work with any of them.
IP: Logged
09:40 PM
Dec 19th, 2000
Cliff Pennock Administrator
Posts: 11609 From: Zandvoort, The Netherlands Registered: Jan 99
Here's is what I posted in one of the cable modem newsgroups (to which I received no response):
quote
I've been having the following problem for almost a year now and it's making internetting almost impossible. My ISP is top dumb to solve it (they even said it was normal behavior once).
First things first: I'm running both Windows 98 SE and Linux and the problem is the same on both OS's so I'm sure it's not caused by anything I'm running. Cable modem is a Surfboard SB3100.
Several times a day (most of the day actually), it looks like my connection dies on me. In fact, up until recently I was convinced I lost connection completely, so I just waited until it was back again. But then I noticed the activity light on my Surfboard was going haywire (almost constantly on) whenever I "lost" the connection. I ran Ping Plotter and noticed the connection was still there, but my pings were a minimum of 2000ms - even to the gateway (first hop). The activity light on the cable modem suggested a lot of traffic, so I downloaded and installed CommView - a network monitor program. When I started CommView, I noticed there was indeed a lot of traffic - but not to/from my computer. It was "Pass Through" traffic from an IP-address to the broadcast server (in access of 100 packet/sec). As soon as this ip-address stopped generating traffic, my pings dropped to normal levels (9ms to the gateway).
Now my ip-address is "A.B.C.D", the ip-address that is generating the traffic is "A.B.E.F", and the destination (broadcast server) is "A.B.C.G". So the broadcast server is in my subnet, while the source ip-address isn't.
Now as I understand it, I'm not supposed to see any traffic besides my own, but I do. I fail to understand however what is causing these problems, and why it is influencing my connection so much.
Please, if you have any ideas what is causing this, let me know. This has been a problem for over a year now and my ISP does *nothing* about it (like I said, they're a bunch of dumbshits). I can hardly get on the internet anymore...
A small addition: I think it's an ICMP flood which isn't directed at me but at someone in my subnet.
IP: Logged
04:10 AM
Songman Member
Posts: 12496 From: Nashville, TN Registered: Aug 2000
I agree that you should not see any 'pass-through' traffic. Sounds to me like they have a hardware problem at the tap on the line where your feed is. Of course, that is just from my experience as a cable TV installer years ago.
Maybe James will have an idea if you sent that to him.
IP: Logged
08:46 AM
mbramble Member
Posts: 852 From: Cantonment, FL Registered: Dec 1999
I believe that you will see traffic all the time. You are on a segment with possibly many other users. Traffic on the segment is sent to all machines on the segment and your modem/NIC determine which of it is for you. It acts much like the network I am attached to at work.
Cable modems by default will pass all *broadcast* traffic. You should be seeing all non-local (i.e. not to or from your machine) arp requests, multicast headers, routing updates like RIP or OSPF broadcasts, and so on. In that context it behaves much like a network switch with a single vlan.
If you can, look at your arp cache (arp -a or similar flag) when running Linux to resolve the MAC addresses of the 2 machines you're talking about. If the mac address of the remote node matches that of your networks' gateway machine the remote box is off-net.
It could be that the other machine on your subnet is the victim (or source!) of random ping floods (ping -f), but it could also be a haywire application, or even a defective NIC card or cable modem that chatters randomly and is kicking off a broadcast storm.
Have you tried escalating this past the tier 1 support people? Debugging this type of problem generally requires a tier-3 person.
IP: Logged
12:14 PM
Cliff Pennock Administrator
Posts: 11609 From: Zandvoort, The Netherlands Registered: Jan 99
Interesting stuff. It took me a while to figure out it was a ping flood (never bothered to look at what kind of packets were sent), now I just have to find out if the source node is really the attacker, or just a poor sod with a trojan.
I did take this to a tier-3 person. Unfortunately, my ISP's tier-3s know less about networking then I do. In the past, I have solved a lot of problems for them (I call them because of a problem, they have no idea what I am talking about so I always end up doing some research myself and solve the problem for them).
I will do some more checking and go after the MAC-addresses of the nodes in question. Tha should be easy enough.
IP: Logged
01:10 PM
Cliff Pennock Administrator
Posts: 11609 From: Zandvoort, The Netherlands Registered: Jan 99
Oh wait, I wish to add a wee bit more information.
Ok, what I see with my network monitor program is that several ip-addresses are sending ICMP packets to the broadcast server at *exactly* the same time. If one of them stops, all other stop too. One of those source-addresses generates about 70% of those packets, while the others (usually around three) generate the remaining 30%.
My gateway's ip-address is a.b.c.1, the broadcast server's ip-address is a.b.c.255 (to which all the ICMP traffic is directed) my ip address is a.b.c.101.
Now, what I was wondering is: who is the target for the ping flood? Is it the broadcast server? Or is it a machine outside my net (and I'm just seeing the traffic to the broadcast server)? And is my connection slowing down because the broadcast server is doing a DoS? Or is the broadcast server sending the ICMP packets back to every single node in the network (because that's what a broadcast server is for)?
Ah, that makes a difference; I misunderstood what you meant by a "broadcast" server. It sounds more like an intermittently chattering NIC card or someone misconfiguring their machine's ip address to the broadcast address, or you've got a flaky Ethernet cable or coax cable to the modem.
One positive feature of routers (vs. switches) is that they don't propogate broadcast storms, which means that you should be looking for the culprit on-net.
[This message has been edited by LarryB (edited 12-20-2000).]
IP: Logged
12:02 AM
PFF
System Bot
Dec 21st, 2000
DJRice Member
Posts: 2741 From: Merritt Island, FL USA Registered: Jun 99
This makes me wonder about the problems I have been having with my Cable modem lately. I will just lose the signal for seconds to hours. I assumed it was the cable but Im wondering if I shouldnt start monitoring traffic.
Cable modem tech support seems to be darn near worthless here as well. I had a modem die and I had to explain to the tech that he would have to call their office to update the MAC address for the new modem before the system to recognize it.