I just
ran a capture that is very puzzling to me. I am hoping someone can shed
some light on why this might be occurring.
My
capture shows about 5000 ESP packets in 15 seconds. During this time
frame the ability to ping nodes on my network became almost impossible.
As soon as nodes were responding to pings the ESP traffic was pretty much gone.
In reviewing the packets it seems that they all have the same remote SRC IP and
local DST IP, but SRC MAC alternates between 5 different MAC’s that are
local to my network. And the DST MAC is the correct MAC for the DST IP.
My question
is why would I see this type of traffic? Secondly why would all the
packets show a local DST IP and DST MAC but show a remote SRC IP but the SRC
MAC’s are 5 different local hosts. This is happening on an ISP
network with a few hundred DSL customers.
Any help
or ideas would be greatly appreciated.
Thanks,
Charlie
