2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how
much bandwidth they are using? Can you tell us what percentage of the
packets are broadcasts? A rule of thumb that Cisco teaches is that no more
than 20% of your packets should be broadcasts. The main problem with
broadcasts is that they interrupt station CPUs, but with the high-speed of
CPUs these days, that is less of an issue.
You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is
NetBIOS running directly on a data-link, which is not what you are
running.) NetBIOS sends lots of broadcasts. In this example, the server
CDTOWER is sending a broadcast. You need to find out if that is necessary
on your network or not. It seems a bit odd that CDTOWER is sending the
frame directly to RND at the NetBIOS layer but to a broadcast address at
the network and data-link layers. Sometimes a subnet mask misconfiguration
can cause such a problem. Check CDTOWER and RND's configs.
The last byte of a NetBIOS name tells you what kind of device it is.
CDTOWER ends with x20, which means server, if I remember correctly. RND
ends with 0x0 and I have forgotten what that means and my NetBIOS
documentation is packed away. But you could find this somewhere on the Net
or one of our esteemed colleagues probably knows.
I don't recognize the other broadcast packets. They have an 802.3 length
field of 0 even though there's data in the packet. It sounds like a bug?
Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and
check its configuration?
Priscilla
At 05:20 AM 6/26/01, Ramesh c wrote:
>I did a kind of traffic study on my network and here it goes....
>
>1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in
>my network?
>
>---------------------------------------------------------------------
>2)Most of the Broadcast of this type...
>57 0.03870 10.65.2.192 -> 10.65.2.255 NBT Datagram Service Type=17
>Source=CDTOWER[20]
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 57 arrived at 14:44:47.57
>ETHER: Packet size = 266 bytes
>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>ETHER: Source = 0:60:b0:b6:b2:62,
>ETHER: Ethertype = 0800 (IP)
>ETHER:
>IP: ----- IP Header -----
>IP:
>IP: Version = 4
>IP: Header length = 20 bytes
>IP: Type of service = 0x00
>IP: xxx. .... = 0 (precedence)
>IP: ...0 .... = normal delay
>IP: .... 0... = normal throughput
>IP: .... .0.. = normal reliability
>IP: Total length = 252 bytes
>IP: Identification = 22165
>IP: Flags = 0x0
>IP: .0.. .... = may fragment
>IP: ..0. .... = last fragment
>IP: Fragment offset = 0 bytes
>IP: Time to live = 64 seconds/hops
>IP: Protocol = 17 (UDP)
>IP: Header checksum = 091c
>IP: Source address = 192.65.2.192, 192.65.2.192
>IP: Destination address = 192.65.2.255, 192.65.2.255
>IP: No options
>IP:
>UDP: ----- UDP Header -----
>UDP:
>UDP: Source port = 138
>UDP: Destination port = 138 (NBDG)
>UDP: Length = 232
>UDP: Checksum = 0000 (no checksum)
>UDP:
>NBT: ----- Netbios Datagram Service Header -----
>NBT:
>NBT: Datagram Packet Type = 0x11
>NBT: Datagram Flags = 0x0a
>NBT: Datagram ID = 0xb367
>NBT: Source IP = 192.65.2.192
>NBT: Source Port = 138
>NBT: Datagram Length = 0x00d2
>NBT: Packet Offset = 0x0000
>NBT: Source Name = CDTOWER[20]
>NBT: Destination Name = RND[0]
>NBT: Number of data bytes remaining = 142
>NBT:
>
>Is this a normal behaviour or do I need to remove netbeui protocol?
>--------------------------------------------------------------------
>
>3)Another type od Broadcast packet
>509 0.28533 ? -> (broadcast) ETHER Type=0000 (LLC/802.3), size
>= 110 bytes
>510 1.54573 ? -> (broadcast) ETHER Type=0000 (LLC/802.3), size
>= 110 bytes
>511 0.72617 ? -> (broadcast) ETHER Type=0000 (LLC/802.3), size
>= 110 bytes
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 511 arrived at 14:51:52.90
>ETHER: Packet size = 110 bytes
>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>ETHER: Source = 0:8:c7:d2:4a:ab,
>ETHER: IEEE 802.3 length = 96 bytes
>ETHER: Ethertype = 0000 (LLC/802.3)
>ETHER:
>
>What is this broadcast packet trying to do?Or how do i debug this for more
>info.
>
>Any help would be appricated
>
>Cheers
>Ramesh
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9998&t=9944
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
