1 | initial version |
Something is definitely looping in your network. 99,5% of the traffic comes from one IP address (10.1.1.104) and these packets have weird Ethernet source and destination addresses. It's only a couple of packets, but each is send ~50000 times:
$ tshark -r capture.pcapng -Y "eth.addr==81:00:00:0a:81:00" -T fields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e ip.id | sort | uniq -c
50499 10.1.1.104 100.20.60.178 35582 443 0xaaf3
48607 10.1.1.104 100.20.60.178 35582 443 0xaaf4
48607 10.1.1.104 100.20.60.178 35582 443 0xaaf5
55784 10.1.1.104 52.34.143.227 40084 443 0xdd70
49893 10.1.1.104 52.34.143.227 40084 443 0xdd71
49890 10.1.1.104 52.34.143.227 40084 443 0xdd72
49887 10.1.1.104 52.34.143.227 40084 443 0xdd73
47561 10.1.1.104 52.34.143.227 40084 443 0xdd74
$
I would start looking at your switches to see on which port the source mac address (00:0a:81:00:00:0a) lives. And maybe shut down that port to see if the problems are gone. Then investigate what is causing this system to misbehave.