At 01:45 AM 6/27/01, Ramesh c wrote:
>More input
>
>Today I analzsed the network for 45 minutes of which 5500 packets were
>caught of which 4100 were Broadcast(1650) and multicast.
That's a lot, but are you capturing on a switched port? You will see only
broadcasts and packets to that port (unless you use SPAN).
I can't understand why it says EtherType is 0000, especially since it is an
803.2 frame. I guess it's just trying to tell you that there is no
EtherType. But what is the SAP?
One of them is in AppleTalk frame. AppleTalk routers multicast their
routing table every 10 seconds, which is a lot and could "skew" the data.
Priscilla
>Does that sound any caution on my network?.
>
>The Broadcast and multicast packets header as follows
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 88 arrived at 11:20:55.53
>ETHER: Packet size = 494 bytes
>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>ETHER: Source = 0:10:7b:b6:ee:a0,
>ETHER: IEEE 802.3 length = 480 bytes
>ETHER: Ethertype = 0000 (LLC/802.3)
>ETHER:
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 89 arrived at 11:20:55.59
>ETHER: Packet size = 494 bytes
>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>ETHER: Source = 0:10:7b:b6:ee:a0,
>ETHER: IEEE 802.3 length = 480 bytes
>ETHER: Ethertype = 0000 (LLC/802.3)
>ETHER:
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 90 arrived at 11:20:55.64
>ETHER: Packet size = 494 bytes
>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>ETHER: Source = 0:10:7b:b6:ee:a0,
>ETHER: IEEE 802.3 length = 480 bytes
>ETHER: Ethertype = 0000 (LLC/802.3)
>ETHER:
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 91 arrived at 11:20:55.70
>ETHER: Packet size = 110 bytes
>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
>ETHER: Source = 0:10:7b:b6:ee:a0,
>ETHER: IEEE 802.3 length = 96 bytes
>ETHER: Ethertype = 0000 (LLC/802.3)
>ETHER:
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 92 arrived at 11:20:55.88
>ETHER: Packet size = 52 bytes
>ETHER: Destination = 1:80:c2:0:0:0, (multicast)
>ETHER: Source = 0:90:ab:ec:f3:5,
>ETHER: IEEE 802.3 length = 38 bytes
>ETHER: Ethertype = 0000 (LLC/802.3)
>ETHER:
>
>ETHER: ----- Ether Header -----
>ETHER:
>ETHER: Packet 93 arrived at 11:20:55.94
>ETHER: Packet size = 45 bytes
>ETHER: Destination = 9:0:7:ff:ff:ff, (multicast)
>ETHER: Source = 0:60:b0:54:c1:7e,
>ETHER: IEEE 802.3 length = 31 bytes
>ETHER: Ethertype = 809B (EtherTalk (AppleTalk over Ethernet))
>ETHER:
>
>--
>
>On Tue, 26 Jun 2001 12:58:10
> Priscilla Oppenheimer wrote:
> >2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how
> >much bandwidth they are using? Can you tell us what percentage of the
> >packets are broadcasts? A rule of thumb that Cisco teaches is that no more
> >than 20% of your packets should be broadcasts. The main problem with
> >broadcasts is that they interrupt station CPUs, but with the high-speed of
> >CPUs these days, that is less of an issue.
> >
> >You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is
> >NetBIOS running directly on a data-link, which is not what you are
> >running.) NetBIOS sends lots of broadcasts. In this example, the server
> >CDTOWER is sending a broadcast. You need to find out if that is necessary
> >on your network or not. It seems a bit odd that CDTOWER is sending the
> >frame directly to RND at the NetBIOS layer but to a broadcast address at
> >the network and data-link layers. Sometimes a subnet mask misconfiguration
> >can cause such a problem. Check CDTOWER and RND's configs.
> >
> >The last byte of a NetBIOS name tells you what kind of device it is.
> >CDTOWER ends with x20, which means server, if I remember correctly. RND
> >ends with 0x0 and I have forgotten what that means and my NetBIOS
> >documentation is packed away. But you could find this somewhere on the Net
> >or one of our esteemed colleagues probably knows.
> >
> >I don't recognize the other broadcast packets. They have an 802.3 length
> >field of 0 even though there's data in the packet. It sounds like a bug?
> >Would it be possible to find the station sending them (0:8:c7:d2:4a:ab)
and
> >check its configuration?
> >
> >Priscilla
> >
> >At 05:20 AM 6/26/01, Ramesh c wrote:
> >>I did a kind of traffic study on my network and here it goes....
> >>
> >>1)I get about 2100 broadcast packets in 30minutes.Does that sound a
> alarm in
> >>my network?
> >>
> >>---------------------------------------------------------------------
> >>2)Most of the Broadcast of this type...
> >>57 0.03870 10.65.2.192 -> 10.65.2.255 NBT Datagram Service Type=17
> >>Source=CDTOWER[20]
> >>
> >>ETHER: ----- Ether Header -----
> >>ETHER:
> >>ETHER: Packet 57 arrived at 14:44:47.57
> >>ETHER: Packet size = 266 bytes
> >>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
> >>ETHER: Source = 0:60:b0:b6:b2:62,
> >>ETHER: Ethertype = 0800 (IP)
> >>ETHER:
> >>IP: ----- IP Header -----
> >>IP:
> >>IP: Version = 4
> >>IP: Header length = 20 bytes
> >>IP: Type of service = 0x00
> >>IP: xxx. .... = 0 (precedence)
> >>IP: ...0 .... = normal delay
> >>IP: .... 0... = normal throughput
> >>IP: .... .0.. = normal reliability
> >>IP: Total length = 252 bytes
> >>IP: Identification = 22165
> >>IP: Flags = 0x0
> >>IP: .0.. .... = may fragment
> >>IP: ..0. .... = last fragment
> >>IP: Fragment offset = 0 bytes
> >>IP: Time to live = 64 seconds/hops
> >>IP: Protocol = 17 (UDP)
> >>IP: Header checksum = 091c
> >>IP: Source address = 192.65.2.192, 192.65.2.192
> >>IP: Destination address = 192.65.2.255, 192.65.2.255
> >>IP: No options
> >>IP:
> >>UDP: ----- UDP Header -----
> >>UDP:
> >>UDP: Source port = 138
> >>UDP: Destination port = 138 (NBDG)
> >>UDP: Length = 232
> >>UDP: Checksum = 0000 (no checksum)
> >>UDP:
> >>NBT: ----- Netbios Datagram Service Header -----
> >>NBT:
> >>NBT: Datagram Packet Type = 0x11
> >>NBT: Datagram Flags = 0x0a
> >>NBT: Datagram ID = 0xb367
> >>NBT: Source IP = 192.65.2.192
> >>NBT: Source Port = 138
> >>NBT: Datagram Length = 0x00d2
> >>NBT: Packet Offset = 0x0000
> >>NBT: Source Name = CDTOWER[20]
> >>NBT: Destination Name = RND[0]
> >>NBT: Number of data bytes remaining = 142
> >>NBT:
> >>
> >>Is this a normal behaviour or do I need to remove netbeui protocol?
> >>--------------------------------------------------------------------
> >>
> >>3)Another type od Broadcast packet
> >>509 0.28533 ? -> (broadcast) ETHER Type=0000 (LLC/802.3),
> size
> >>= 110 bytes
> >>510 1.54573 ? -> (broadcast) ETHER Type=0000 (LLC/802.3),
> size
> >>= 110 bytes
> >>511 0.72617 ? -> (broadcast) ETHER Type=0000 (LLC/802.3),
> size
> >>= 110 bytes
> >>
> >>ETHER: ----- Ether Header -----
> >>ETHER:
> >>ETHER: Packet 511 arrived at 14:51:52.90
> >>ETHER: Packet size = 110 bytes
> >>ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast)
> >>ETHER: Source = 0:8:c7:d2:4a:ab,
> >>ETHER: IEEE 802.3 length = 96 bytes
> >>ETHER: Ethertype = 0000 (LLC/802.3)
> >>ETHER:
> >>
> >>What is this broadcast packet trying to do?Or how do i debug this for
more
> >>info.
> >>
> >>Any help would be appricated
> >>
> >>Cheers
> >>Ramesh
> >
> >
> >________________________
> >
> >Priscilla Oppenheimer
> >http://www.priscilla.com
> >
> >
>
>
>Get 250 color business cards for FREE!
>http://businesscards.lycos.com/vp/fastpath/
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10100&t=9944
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
