Re: Snoop details [7:9944]
This looks a bit dodgy, It looks like the SAPS should be 00, 00. But the Analyser is mis-representing the info- . What type of analyser is producing this decode ? Can you send the hex version of the data ? Regs, Phil. --- Priscilla Oppenheimer wrote: At 01:45 AM 6/27/01, Ramesh c wrote: More input Today I analzsed the network for 45 minutes of which 5500 packets were caught of which 4100 were Broadcast(1650) and multicast. That's a lot, but are you capturing on a switched port? You will see only broadcasts and packets to that port (unless you use SPAN). I can't understand why it says EtherType is , especially since it is an 803.2 frame. I guess it's just trying to tell you that there is no EtherType. But what is the SAP? One of them is in AppleTalk frame. AppleTalk routers multicast their routing table every 10 seconds, which is a lot and could skew the data. Priscilla Does that sound any caution on my network?. The Broadcast and multicast packets header as follows ETHER: - Ether Header - ETHER: ETHER: Packet 88 arrived at 11:20:55.53 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 89 arrived at 11:20:55.59 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 90 arrived at 11:20:55.64 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 91 arrived at 11:20:55.70 ETHER: Packet size = 110 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 96 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 92 arrived at 11:20:55.88 ETHER: Packet size = 52 bytes ETHER: Destination = 1:80:c2:0:0:0, (multicast) ETHER: Source = 0:90:ab:ec:f3:5, ETHER: IEEE 802.3 length = 38 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 93 arrived at 11:20:55.94 ETHER: Packet size = 45 bytes ETHER: Destination = 9:0:7:ff:ff:ff, (multicast) ETHER: Source = 0:60:b0:54:c1:7e, ETHER: IEEE 802.3 length = 31 bytes ETHER: Ethertype = 809B (EtherTalk (AppleTalk over Ethernet)) ETHER: -- On Tue, 26 Jun 2001 12:58:10 Priscilla Oppenheimer wrote: 2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how much bandwidth they are using? Can you tell us what percentage of the packets are broadcasts? A rule of thumb that Cisco teaches is that no more than 20% of your packets should be broadcasts. The main problem with broadcasts is that they interrupt station CPUs, but with the high-speed of CPUs these days, that is less of an issue. You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is NetBIOS running directly on a data-link, which is not what you are running.) NetBIOS sends lots of broadcasts. In this example, the server CDTOWER is sending a broadcast. You need to find out if that is necessary on your network or not. It seems a bit odd that CDTOWER is sending the frame directly to RND at the NetBIOS layer but to a broadcast address at the network and data-link layers. Sometimes a subnet mask misconfiguration can cause such a problem. Check CDTOWER and RND's configs. The last byte of a NetBIOS name tells you what kind of device it is. CDTOWER ends with x20, which means server, if I remember correctly. RND ends with 0x0 and I have forgotten what that means and my NetBIOS documentation is packed away. But you could find this somewhere on the Net or one of our esteemed colleagues probably knows. I don't recognize the other broadcast packets. They have an 802.3 length field of 0 even though there's data in the packet. It sounds like a bug? Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and check its configuration? Priscilla At 05:20 AM 6/26/01, Ramesh c wrote: I did a kind of traffic study on my network and here it goes 1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in my network? - 2)Most of the Broadcast of this type... 57 0.03870 10.65.2.192 - 10.65.2.255 NBT Datagram Service Type=17 Source=CDTOWER[20] ETHER: -
Re: Snoop details [7:9944]
More input Today I analzsed the network for 45 minutes of which 5500 packets were caught of which 4100 were Broadcast(1650) and multicast. Does that sound any caution on my network?. The Broadcast and multicast packets header as follows ETHER: - Ether Header - ETHER: ETHER: Packet 88 arrived at 11:20:55.53 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 89 arrived at 11:20:55.59 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 90 arrived at 11:20:55.64 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 91 arrived at 11:20:55.70 ETHER: Packet size = 110 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 96 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 92 arrived at 11:20:55.88 ETHER: Packet size = 52 bytes ETHER: Destination = 1:80:c2:0:0:0, (multicast) ETHER: Source = 0:90:ab:ec:f3:5, ETHER: IEEE 802.3 length = 38 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 93 arrived at 11:20:55.94 ETHER: Packet size = 45 bytes ETHER: Destination = 9:0:7:ff:ff:ff, (multicast) ETHER: Source = 0:60:b0:54:c1:7e, ETHER: IEEE 802.3 length = 31 bytes ETHER: Ethertype = 809B (EtherTalk (AppleTalk over Ethernet)) ETHER: -- On Tue, 26 Jun 2001 12:58:10 Priscilla Oppenheimer wrote: 2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how much bandwidth they are using? Can you tell us what percentage of the packets are broadcasts? A rule of thumb that Cisco teaches is that no more than 20% of your packets should be broadcasts. The main problem with broadcasts is that they interrupt station CPUs, but with the high-speed of CPUs these days, that is less of an issue. You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is NetBIOS running directly on a data-link, which is not what you are running.) NetBIOS sends lots of broadcasts. In this example, the server CDTOWER is sending a broadcast. You need to find out if that is necessary on your network or not. It seems a bit odd that CDTOWER is sending the frame directly to RND at the NetBIOS layer but to a broadcast address at the network and data-link layers. Sometimes a subnet mask misconfiguration can cause such a problem. Check CDTOWER and RND's configs. The last byte of a NetBIOS name tells you what kind of device it is. CDTOWER ends with x20, which means server, if I remember correctly. RND ends with 0x0 and I have forgotten what that means and my NetBIOS documentation is packed away. But you could find this somewhere on the Net or one of our esteemed colleagues probably knows. I don't recognize the other broadcast packets. They have an 802.3 length field of 0 even though there's data in the packet. It sounds like a bug? Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and check its configuration? Priscilla At 05:20 AM 6/26/01, Ramesh c wrote: I did a kind of traffic study on my network and here it goes 1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in my network? - 2)Most of the Broadcast of this type... 57 0.03870 10.65.2.192 - 10.65.2.255 NBT Datagram Service Type=17 Source=CDTOWER[20] ETHER: - Ether Header - ETHER: ETHER: Packet 57 arrived at 14:44:47.57 ETHER: Packet size = 266 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:60:b0:b6:b2:62, ETHER: Ethertype = 0800 (IP) ETHER: IP: - IP Header - IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. = 0 (precedence) IP: ...0 = normal delay IP: 0... = normal throughput IP: .0.. = normal reliability IP: Total length = 252 bytes IP: Identification = 22165 IP: Flags = 0x0 IP: .0.. = may fragment IP: ..0. = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = 091c IP: Source address = 192.65.2.192, 192.65.2.192 IP: Destination address = 192.65.2.255, 192.65.2.255 IP: No options IP: UDP: - UDP Header
Re: Snoop details [7:9944]
At 01:45 AM 6/27/01, Ramesh c wrote: More input Today I analzsed the network for 45 minutes of which 5500 packets were caught of which 4100 were Broadcast(1650) and multicast. That's a lot, but are you capturing on a switched port? You will see only broadcasts and packets to that port (unless you use SPAN). I can't understand why it says EtherType is , especially since it is an 803.2 frame. I guess it's just trying to tell you that there is no EtherType. But what is the SAP? One of them is in AppleTalk frame. AppleTalk routers multicast their routing table every 10 seconds, which is a lot and could skew the data. Priscilla Does that sound any caution on my network?. The Broadcast and multicast packets header as follows ETHER: - Ether Header - ETHER: ETHER: Packet 88 arrived at 11:20:55.53 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 89 arrived at 11:20:55.59 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 90 arrived at 11:20:55.64 ETHER: Packet size = 494 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 480 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 91 arrived at 11:20:55.70 ETHER: Packet size = 110 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:10:7b:b6:ee:a0, ETHER: IEEE 802.3 length = 96 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 92 arrived at 11:20:55.88 ETHER: Packet size = 52 bytes ETHER: Destination = 1:80:c2:0:0:0, (multicast) ETHER: Source = 0:90:ab:ec:f3:5, ETHER: IEEE 802.3 length = 38 bytes ETHER: Ethertype = (LLC/802.3) ETHER: ETHER: - Ether Header - ETHER: ETHER: Packet 93 arrived at 11:20:55.94 ETHER: Packet size = 45 bytes ETHER: Destination = 9:0:7:ff:ff:ff, (multicast) ETHER: Source = 0:60:b0:54:c1:7e, ETHER: IEEE 802.3 length = 31 bytes ETHER: Ethertype = 809B (EtherTalk (AppleTalk over Ethernet)) ETHER: -- On Tue, 26 Jun 2001 12:58:10 Priscilla Oppenheimer wrote: 2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how much bandwidth they are using? Can you tell us what percentage of the packets are broadcasts? A rule of thumb that Cisco teaches is that no more than 20% of your packets should be broadcasts. The main problem with broadcasts is that they interrupt station CPUs, but with the high-speed of CPUs these days, that is less of an issue. You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is NetBIOS running directly on a data-link, which is not what you are running.) NetBIOS sends lots of broadcasts. In this example, the server CDTOWER is sending a broadcast. You need to find out if that is necessary on your network or not. It seems a bit odd that CDTOWER is sending the frame directly to RND at the NetBIOS layer but to a broadcast address at the network and data-link layers. Sometimes a subnet mask misconfiguration can cause such a problem. Check CDTOWER and RND's configs. The last byte of a NetBIOS name tells you what kind of device it is. CDTOWER ends with x20, which means server, if I remember correctly. RND ends with 0x0 and I have forgotten what that means and my NetBIOS documentation is packed away. But you could find this somewhere on the Net or one of our esteemed colleagues probably knows. I don't recognize the other broadcast packets. They have an 802.3 length field of 0 even though there's data in the packet. It sounds like a bug? Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and check its configuration? Priscilla At 05:20 AM 6/26/01, Ramesh c wrote: I did a kind of traffic study on my network and here it goes 1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in my network? - 2)Most of the Broadcast of this type... 57 0.03870 10.65.2.192 - 10.65.2.255 NBT Datagram Service Type=17 Source=CDTOWER[20] ETHER: - Ether Header - ETHER: ETHER: Packet 57 arrived at 14:44:47.57 ETHER: Packet size = 266 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:60:b0:b6:b2:62, ETHER: Ethertype = 0800 (IP) ETHER: IP: - IP Header - IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. = 0 (precedence) IP: ...0 = normal
Snoop details [7:9944]
I did a kind of traffic study on my network and here it goes 1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in my network? - 2)Most of the Broadcast of this type... 57 0.03870 10.65.2.192 - 10.65.2.255 NBT Datagram Service Type=17 Source=CDTOWER[20] ETHER: - Ether Header - ETHER: ETHER: Packet 57 arrived at 14:44:47.57 ETHER: Packet size = 266 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:60:b0:b6:b2:62, ETHER: Ethertype = 0800 (IP) ETHER: IP: - IP Header - IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. = 0 (precedence) IP: ...0 = normal delay IP: 0... = normal throughput IP: .0.. = normal reliability IP: Total length = 252 bytes IP: Identification = 22165 IP: Flags = 0x0 IP: .0.. = may fragment IP: ..0. = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = 091c IP: Source address = 192.65.2.192, 192.65.2.192 IP: Destination address = 192.65.2.255, 192.65.2.255 IP: No options IP: UDP: - UDP Header - UDP: UDP: Source port = 138 UDP: Destination port = 138 (NBDG) UDP: Length = 232 UDP: Checksum = (no checksum) UDP: NBT: - Netbios Datagram Service Header - NBT: NBT: Datagram Packet Type = 0x11 NBT: Datagram Flags = 0x0a NBT: Datagram ID = 0xb367 NBT: Source IP = 192.65.2.192 NBT: Source Port = 138 NBT: Datagram Length = 0x00d2 NBT: Packet Offset = 0x NBT: Source Name = CDTOWER[20] NBT: Destination Name = RND[0] NBT: Number of data bytes remaining = 142 NBT: Is this a normal behaviour or do I need to remove netbeui protocol? 3)Another type od Broadcast packet 509 0.28533? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes 510 1.54573? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes 511 0.72617? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes ETHER: - Ether Header - ETHER: ETHER: Packet 511 arrived at 14:51:52.90 ETHER: Packet size = 110 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:8:c7:d2:4a:ab, ETHER: IEEE 802.3 length = 96 bytes ETHER: Ethertype = (LLC/802.3) ETHER: What is this broadcast packet trying to do?Or how do i debug this for more info. Any help would be appricated Cheers Ramesh Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9944t=9944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Snoop details [7:9944]
2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how much bandwidth they are using? Can you tell us what percentage of the packets are broadcasts? A rule of thumb that Cisco teaches is that no more than 20% of your packets should be broadcasts. The main problem with broadcasts is that they interrupt station CPUs, but with the high-speed of CPUs these days, that is less of an issue. You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is NetBIOS running directly on a data-link, which is not what you are running.) NetBIOS sends lots of broadcasts. In this example, the server CDTOWER is sending a broadcast. You need to find out if that is necessary on your network or not. It seems a bit odd that CDTOWER is sending the frame directly to RND at the NetBIOS layer but to a broadcast address at the network and data-link layers. Sometimes a subnet mask misconfiguration can cause such a problem. Check CDTOWER and RND's configs. The last byte of a NetBIOS name tells you what kind of device it is. CDTOWER ends with x20, which means server, if I remember correctly. RND ends with 0x0 and I have forgotten what that means and my NetBIOS documentation is packed away. But you could find this somewhere on the Net or one of our esteemed colleagues probably knows. I don't recognize the other broadcast packets. They have an 802.3 length field of 0 even though there's data in the packet. It sounds like a bug? Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and check its configuration? Priscilla At 05:20 AM 6/26/01, Ramesh c wrote: I did a kind of traffic study on my network and here it goes 1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in my network? - 2)Most of the Broadcast of this type... 57 0.03870 10.65.2.192 - 10.65.2.255 NBT Datagram Service Type=17 Source=CDTOWER[20] ETHER: - Ether Header - ETHER: ETHER: Packet 57 arrived at 14:44:47.57 ETHER: Packet size = 266 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:60:b0:b6:b2:62, ETHER: Ethertype = 0800 (IP) ETHER: IP: - IP Header - IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. = 0 (precedence) IP: ...0 = normal delay IP: 0... = normal throughput IP: .0.. = normal reliability IP: Total length = 252 bytes IP: Identification = 22165 IP: Flags = 0x0 IP: .0.. = may fragment IP: ..0. = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = 091c IP: Source address = 192.65.2.192, 192.65.2.192 IP: Destination address = 192.65.2.255, 192.65.2.255 IP: No options IP: UDP: - UDP Header - UDP: UDP: Source port = 138 UDP: Destination port = 138 (NBDG) UDP: Length = 232 UDP: Checksum = (no checksum) UDP: NBT: - Netbios Datagram Service Header - NBT: NBT: Datagram Packet Type = 0x11 NBT: Datagram Flags = 0x0a NBT: Datagram ID = 0xb367 NBT: Source IP = 192.65.2.192 NBT: Source Port = 138 NBT: Datagram Length = 0x00d2 NBT: Packet Offset = 0x NBT: Source Name = CDTOWER[20] NBT: Destination Name = RND[0] NBT: Number of data bytes remaining = 142 NBT: Is this a normal behaviour or do I need to remove netbeui protocol? 3)Another type od Broadcast packet 509 0.28533? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes 510 1.54573? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes 511 0.72617? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes ETHER: - Ether Header - ETHER: ETHER: Packet 511 arrived at 14:51:52.90 ETHER: Packet size = 110 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:8:c7:d2:4a:ab, ETHER: IEEE 802.3 length = 96 bytes ETHER: Ethertype = (LLC/802.3) ETHER: What is this broadcast packet trying to do?Or how do i debug this for more info. Any help would be appricated Cheers Ramesh Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9998t=9944 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Snoop details [7:9944]
I found the documentation on what the last byte of a NetBIOS name means. Though it's not very user friendly, here it is: redirector name main user name alias name server name This leads me to believe that RND is a workstation running a redirector, which is normal. I think it is quite odd, however, that the CDTOWER server sends a datagram to the RND workstation as a broadcast. If the server were using port 137, which is often used for naming announcements, then it wouldn't be weird. But it's using port 138. NetBIOS ports are: 137 Name Service 138 Datagram Service 139 Session Service So what might cause CDTOWER's TCP/IP stack to think that 192.65.2.255 is a broadcast? (What might have caused the stack to tell the data-link layer to send the frame to the broadcast address?) CDTOWER's own IP address is 192.65.2.192. We can't tell the subnet mask from the frames, but anyone have any theories? It's good practice in bit-twiddling. There are many possibilities. How CDTOWER got the IP address for RND to start with is another (harder) mystery Priscilla At 04:09 PM 6/26/01, Priscilla Oppenheimer wrote: 2100 broadcasts in 30 minutes might be OK, actually. Can you tell us how much bandwidth they are using? Can you tell us what percentage of the packets are broadcasts? A rule of thumb that Cisco teaches is that no more than 20% of your packets should be broadcasts. The main problem with broadcasts is that they interrupt station CPUs, but with the high-speed of CPUs these days, that is less of an issue. You seem to be running NetBT, which is NetBIOS over TCP/IP. (NetBEUI is NetBIOS running directly on a data-link, which is not what you are running.) NetBIOS sends lots of broadcasts. In this example, the server CDTOWER is sending a broadcast. You need to find out if that is necessary on your network or not. It seems a bit odd that CDTOWER is sending the frame directly to RND at the NetBIOS layer but to a broadcast address at the network and data-link layers. Sometimes a subnet mask misconfiguration can cause such a problem. Check CDTOWER and RND's configs. The last byte of a NetBIOS name tells you what kind of device it is. CDTOWER ends with x20, which means server, if I remember correctly. RND ends with 0x0 and I have forgotten what that means and my NetBIOS documentation is packed away. But you could find this somewhere on the Net or one of our esteemed colleagues probably knows. I don't recognize the other broadcast packets. They have an 802.3 length field of 0 even though there's data in the packet. It sounds like a bug? Would it be possible to find the station sending them (0:8:c7:d2:4a:ab) and check its configuration? Priscilla At 05:20 AM 6/26/01, Ramesh c wrote: I did a kind of traffic study on my network and here it goes 1)I get about 2100 broadcast packets in 30minutes.Does that sound a alarm in my network? - 2)Most of the Broadcast of this type... 57 0.03870 10.65.2.192 - 10.65.2.255 NBT Datagram Service Type=17 Source=CDTOWER[20] ETHER: - Ether Header - ETHER: ETHER: Packet 57 arrived at 14:44:47.57 ETHER: Packet size = 266 bytes ETHER: Destination = ff:ff:ff:ff:ff:ff, (broadcast) ETHER: Source = 0:60:b0:b6:b2:62, ETHER: Ethertype = 0800 (IP) ETHER: IP: - IP Header - IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. = 0 (precedence) IP: ...0 = normal delay IP: 0... = normal throughput IP: .0.. = normal reliability IP: Total length = 252 bytes IP: Identification = 22165 IP: Flags = 0x0 IP: .0.. = may fragment IP: ..0. = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 64 seconds/hops IP: Protocol = 17 (UDP) IP: Header checksum = 091c IP: Source address = 192.65.2.192, 192.65.2.192 IP: Destination address = 192.65.2.255, 192.65.2.255 IP: No options IP: UDP: - UDP Header - UDP: UDP: Source port = 138 UDP: Destination port = 138 (NBDG) UDP: Length = 232 UDP: Checksum = (no checksum) UDP: NBT: - Netbios Datagram Service Header - NBT: NBT: Datagram Packet Type = 0x11 NBT: Datagram Flags = 0x0a NBT: Datagram ID = 0xb367 NBT: Source IP = 192.65.2.192 NBT: Source Port = 138 NBT: Datagram Length = 0x00d2 NBT: Packet Offset = 0x NBT: Source Name = CDTOWER[20] NBT: Destination Name = RND[0] NBT: Number of data bytes remaining = 142 NBT: Is this a normal behaviour or do I need to remove netbeui protocol? 3)Another type od Broadcast packet 509 0.28533? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes 510 1.54573? - (broadcast) ETHER Type= (LLC/802.3), size = 110 bytes 511 0.72617? - (broadcast)