The last byte of a NetBIOS name is usually put in between a less-than or greater-than symbol, which the e-mail server thought was HTML and stripped. Sigh. ;-) Here they are again. 00 redirector name 03 main user name 05 alias name 20 server name Priscilla At 05:31 PM 6/26/01, Priscilla Oppenheimer wrote: >I found the documentation on what the last byte of a NetBIOS name means. >Though it's not very "user friendly," here it is: > > redirector name > main user name > alias name > server name > >This leads me to believe that RND is a workstation running a >redirector, which is normal. I think it is quite odd, however, that the >CDTOWER server sends a datagram to the RND workstation as a broadcast. > >If the server were using port 137, which is often used for naming >announcements, then it wouldn't be weird. But it's using port 138. NetBIOS >ports are: > >137 Name Service >138 Datagram Service >139 Session Service > >So what might cause CDTOWER's TCP/IP stack to think that 192.65.2.255 is a >broadcast? (What might have caused the stack to tell the data-link layer to >send the frame to the broadcast address?) CDTOWER's own IP address is >192.65.2.192. > >We can't tell the subnet mask from the frames, but anyone have any >theories? It's good practice in bit-twiddling. There are many possibilities. > >How CDTOWER got the IP address for RND to start with is another (harder) >mystery.... > >Priscilla > >At 04:09 PM 6/26/01, Priscilla Oppenheimer wrote: > >2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how > >much bandwidth they are using? Can you tell us what percentage of the > >packets are broadcasts? A rule of thumb that Cisco teaches is that no more > >than 20% of your packets should be broadcasts. The main problem with > >broadcasts is that they interrupt station CPUs, but with the high-speed of > >CPUs these days, that is less of an issue. > > > >You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is > >NetBIOS running directly on a data-link, which is not what you are > >running.) NetBIOS sends lots of broadcasts. In this example, the server > >CDTOWER is sending a broadcast. You need to find out if that is necessary > >on your network or not. It seems a bit odd that CDTOWER is sending the > >frame directly to RND at the NetBIOS layer but to a broadcast address at > >the network and data-link layers. Sometimes a subnet mask misconfiguration > >can cause such a problem. Check CDTOWER and RND's configs. > > > >The last byte of a NetBIOS name tells you what kind of device it is. > >CDTOWER ends with x20, which means server, if I remember correctly. RND > >ends with 0x0 and I have forgotten what that means and my NetBIOS > >documentation is packed away. But you could find this somewhere on the Net > >or one of our esteemed colleagues probably knows. > > > >I don't recognize the other broadcast packets. They have an 802.3 length > >field of 0 even though there's data in the packet. It sounds like a bug? > >Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and > >check its configuration? > > > >Priscilla > > > >At 05:20 AM 6/26/01, Ramesh c wrote: > > >I did a kind of traffic study on my network and here it goes.... > > > > > >1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm >in > > >my network? > > > > > >--------------------------------------------------------------------- > > >2)Most of the Broadcast of this type... > > >57 0.03870 10.65.2.192 -> 10.65.2.255 NBT Datagram Service Type=17 > > >Source=CDTOWER[20] > > > > > >ETHER: ----- Ether Header ----- > > >ETHER: > > >ETHER: Packet 57 arrived at 14:44:47.57 > > >ETHER: Packet size = 266 bytes > > >ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) > > >ETHER: Source = 0:60:b0:b6:b2:62, > > >ETHER: Ethertype = 0800 (IP) > > >ETHER: > > >IP: ----- IP Header ----- > > >IP: > > >IP: Version = 4 > > >IP: Header length = 20 bytes > > >IP: Type of service = 0x00 > > >IP: xxx. .... = 0 (precedence) > > >IP: ...0 .... = normal delay > > >IP: .... 0... = normal throughput > > >IP: .... .0.. = normal reliability > > >IP: Total length = 252 bytes > > >IP: Identification = 22165 > > >IP: Flags = 0x0 > > >IP: .0.. .... = may fragment > > >IP: ..0. .... = last fragment > > >IP: Fragment offset = 0 bytes > > >IP: Time to live = 64 seconds/hops > > >IP: Protocol = 17 (UDP) > > >IP: Header checksum = 091c > > >IP: Source address = 192.65.2.192, 192.65.2.192 > > >IP: Destination address = 192.65.2.255, 192.65.2.255 > > >IP: No options > > >IP: > > >UDP: ----- UDP Header ----- > > >UDP: > > >UDP: Source port = 138 > > >UDP: Destination port = 138 (NBDG) > > >UDP: Length = 232 > > >UDP: Checksum = 0000 (no checksum) > > >UDP: > > >NBT: ----- Netbios Datagram Service Header ----- > > >NBT: > > >NBT: Datagram Packet Type = 0x11 > > >NBT: Datagram Flags = 0x0a > > >NBT: Datagram ID = 0xb367 > > >NBT: Source IP = 192.65.2.192 > > >NBT: Source Port = 138 > > >NBT: Datagram Length = 0x00d2 > > >NBT: Packet Offset = 0x0000 > > >NBT: Source Name = CDTOWER[20] > > >NBT: Destination Name = RND[0] > > >NBT: Number of data bytes remaining = 142 > > >NBT: > > > > > >Is this a normal behaviour or do I need to remove netbeui protocol? > > >-------------------------------------------------------------------- > > > > > >3)Another type od Broadcast packet > > >509 0.28533 ? -> (broadcast) ETHER Type=0000 (LLC/802.3), >size > > >= 110 bytes > > >510 1.54573 ? -> (broadcast) ETHER Type=0000 (LLC/802.3), >size > > >= 110 bytes > > >511 0.72617 ? -> (broadcast) ETHER Type=0000 (LLC/802.3), >size > > >= 110 bytes > > > > > >ETHER: ----- Ether Header ----- > > >ETHER: > > >ETHER: Packet 511 arrived at 14:51:52.90 > > >ETHER: Packet size = 110 bytes > > >ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) > > >ETHER: Source = 0:8:c7:d2:4a:ab, > > >ETHER: IEEE 802.3 length = 96 bytes > > >ETHER: Ethertype = 0000 (LLC/802.3) > > >ETHER: > > > > > >What is this broadcast packet trying to do?Or how do i debug this for more > > >info. > > > > > >Any help would be appricated > > > > > >Cheers > > >Ramesh > > > > > >________________________ > > > >Priscilla Oppenheimer > >http://www.priscilla.com >________________________ > >Priscilla Oppenheimer >http://www.priscilla.com ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=10022&t=10022 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
