More input
Today I analzsed the network for 45 minutes of which 5500 packets were
caught of which 4100 were Broadcast(1650) and multicast.
Does that sound any caution on my network?.
The Broadcast and multicast packets header as follows
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 88 arrived at 11:20:55.53
ETHER: Packet size = 494 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:10:7b:b6:ee:a0,
ETHER: IEEE 802.3 length = 480 bytes
ETHER: Ethertype = 0000 (LLC/802.3)
ETHER:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 89 arrived at 11:20:55.59
ETHER: Packet size = 494 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:10:7b:b6:ee:a0,
ETHER: IEEE 802.3 length = 480 bytes
ETHER: Ethertype = 0000 (LLC/802.3)
ETHER:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 90 arrived at 11:20:55.64
ETHER: Packet size = 494 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:10:7b:b6:ee:a0,
ETHER: IEEE 802.3 length = 480 bytes
ETHER: Ethertype = 0000 (LLC/802.3)
ETHER:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 91 arrived at 11:20:55.70
ETHER: Packet size = 110 bytes
ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
ETHER: Source = 0:10:7b:b6:ee:a0,
ETHER: IEEE 802.3 length = 96 bytes
ETHER: Ethertype = 0000 (LLC/802.3)
ETHER:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 92 arrived at 11:20:55.88
ETHER: Packet size = 52 bytes
ETHER: Destination = 1:80:c2:0:0:0, (multicast)
ETHER: Source = 0:90:ab:ec:f3:5,
ETHER: IEEE 802.3 length = 38 bytes
ETHER: Ethertype = 0000 (LLC/802.3)
ETHER:
ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 93 arrived at 11:20:55.94
ETHER: Packet size = 45 bytes
ETHER: Destination = 9:0:7:ff:ff:ff, (multicast)
ETHER: Source = 0:60:b0:54:c1:7e,
ETHER: IEEE 802.3 length = 31 bytes
ETHER: Ethertype = 809B (EtherTalk (AppleTalk over Ethernet))
ETHER:
--
On Tue, 26 Jun 2001 12:58:10
Priscilla Oppenheimer wrote:
>2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how
>much bandwidth they are using? Can you tell us what percentage of the
>packets are broadcasts? A rule of thumb that Cisco teaches is that no more
>than 20% of your packets should be broadcasts. The main problem with
>broadcasts is that they interrupt station CPUs, but with the high-speed of
>CPUs these days, that is less of an issue.
>
>You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is
>NetBIOS running directly on a data-link, which is not what you are
>running.) NetBIOS sends lots of broadcasts. In this example, the server
>CDTOWER is sending a broadcast. You need to find out if that is necessary
>on your network or not. It seems a bit odd that CDTOWER is sending the
>frame directly to RND at the NetBIOS layer but to a broadcast address at
>the network and data-link layers. Sometimes a subnet mask misconfiguration
>can cause such a problem. Check CDTOWER and RND's configs.
>
>The last byte of a NetBIOS name tells you what kind of device it is.
>CDTOWER ends with x20, which means server, if I remember correctly. RND
>ends with 0x0 and I have forgotten what that means and my NetBIOS
>documentation is packed away. But you could find this somewhere on the Net
>or one of our esteemed colleagues probably knows.
>
>I don't recognize the other broadcast packets. They have an 802.3 length
>field of 0 even though there's data in the packet. It sounds like a bug?
>Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and
>check its configuration?
>
>Priscilla
>
>At 05:20 AM 6/26/01, Ramesh c wrote:
>>I did a kind of traffic study on my network and here it goes....
>>
>>1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm
in
>>my network?
>>
>>---------------------------------------------------------------------
>>2)Most of the Broadcast of this type...
>>57 0.03870 10.65.2.192 -> 10.65.2.255 NBT Datagram Service Type=17
>>Source=CDTOWER[20]
>>
>>ETHER: ----- Ether Header -----
>>ETHER:
>>ETHER: Packet 57 arrived at 14:44:47.57
>>ETHER: Packet size = 266 bytes
>>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>>ETHER: Source = 0:60:b0:b6:b2:62,
>>ETHER: Ethertype = 0800 (IP)
>>ETHER:
>>IP: ----- IP Header -----
>>IP:
>>IP: Version = 4
>>IP: Header length = 20 bytes
>>IP: Type of service = 0x00
>>IP: xxx. .... = 0 (precedence)
>>IP: ...0 .... = normal delay
>>IP: .... 0... = normal throughput
>>IP: .... .0.. = normal reliability
>>IP: Total length = 252 bytes
>>IP: Identification = 22165
>>IP: Flags = 0x0
>>IP: .0.. .... = may fragment
>>IP: ..0. .... = last fragment
>>IP: Fragment offset = 0 bytes
>>IP: Time to live = 64 seconds/hops
>>IP: Protocol = 17 (UDP)
>>IP: Header checksum = 091c
>>IP: Source address = 192.65.2.192, 192.65.2.192
>>IP: Destination address = 192.65.2.255, 192.65.2.255
>>IP: No options
>>IP:
>>UDP: ----- UDP Header -----
>>UDP:
>>UDP: Source port = 138
>>UDP: Destination port = 138 (NBDG)
>>UDP: Length = 232
>>UDP: Checksum = 0000 (no checksum)
>>UDP:
>>NBT: ----- Netbios Datagram Service Header -----
>>NBT:
>>NBT: Datagram Packet Type = 0x11
>>NBT: Datagram Flags = 0x0a
>>NBT: Datagram ID = 0xb367
>>NBT: Source IP = 192.65.2.192
>>NBT: Source Port = 138
>>NBT: Datagram Length = 0x00d2
>>NBT: Packet Offset = 0x0000
>>NBT: Source Name = CDTOWER[20]
>>NBT: Destination Name = RND[0]
>>NBT: Number of data bytes remaining = 142
>>NBT:
>>
>>Is this a normal behaviour or do I need to remove netbeui protocol?
>>--------------------------------------------------------------------
>>
>>3)Another type od Broadcast packet
>>509 0.28533 ? -> (broadcast) ETHER Type=0000 (LLC/802.3),
size
>>= 110 bytes
>>510 1.54573 ? -> (broadcast) ETHER Type=0000 (LLC/802.3),
size
>>= 110 bytes
>>511 0.72617 ? -> (broadcast) ETHER Type=0000 (LLC/802.3),
size
>>= 110 bytes
>>
>>ETHER: ----- Ether Header -----
>>ETHER:
>>ETHER: Packet 511 arrived at 14:51:52.90
>>ETHER: Packet size = 110 bytes
>>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>>ETHER: Source = 0:8:c7:d2:4a:ab,
>>ETHER: IEEE 802.3 length = 96 bytes
>>ETHER: Ethertype = 0000 (LLC/802.3)
>>ETHER:
>>
>>What is this broadcast packet trying to do?Or how do i debug this for more
>>info.
>>
>>Any help would be appricated
>>
>>Cheers
>>Ramesh
>
>
>________________________
>
>Priscilla Oppenheimer
>http://www.priscilla.com
>
>
Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10083&t=9944
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
