Re: [Wireshark-users] High broadcast traffic
Hansang Bae asked a great question. I have hung myself by setting up Mulitcast on a device in a legacy (FAT LARGE ) network. In doing so i only thought about L3.. well multicast uses the same L2 flag as bcast.! On Wed, 2008-02-20 at 19:22 -0500, Hansang Bae wrote: > joans4nz wrote: > > I'm a network administrator in my new job and when I ran Wireshark I saw > > to much ARP traffic level and Ntop show 86% broadcast traffic to. > > > > There are DHCP server and 350 Windows stations. My boss dont know > > nothing about networks and I propose to my boss buy a layer 3 switch and > > create vlans to reduce the broadcast traffic levels, but my boss ask > > what must be the normal levels of broadcast traffic in the LAN network. I > > have search in google and I can't find a good response > > to that question, I feel bad without a good answer and reference. > > > > Could any in the list help me please? > > > > Thanks for your time and excuse my english. > > > Is there a problem you want to resolve? The days of users firing up > Doom (pre 1.1) and killing 486 based PCs because of broadcast packets is > long gone. Where did you capture from? 86% of TOTAL traffic on your > network is broadcast? Or just what you are seeing on your port? Are > you running any multicast based apps that is being reported as broadcast? > > The CCDA design numbers Stewart posted is not really something that > should guide you. One can argue all day about legitimacy of those > numbers. > > ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Logging packets
I know if your firewall is a PIX it can support doing a capture from the IOS itself.. big issue (last i looked at it ) was you are limited by you buffer space.. if your firewall is plugged directly to the ISP router.. get a switch to interconnect them and then do a span / port mirror >>> "Peter Cambouris" <[EMAIL PROTECTED]> 12/14/07 7:56 AM >>> IS there a step by step out there on how to setup a computer with wireshark to be placed between a firewall and isp router? There is a lot of bandwidth being transmitted and need to get answers for my client on what the traffic is. Please advise!! Thanks Peter ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] capture filter
Thanks Guy.. JUST want i was asking for i will remember to man tcpdump next time .. >>> Guy Harris <[EMAIL PROTECTED]> 05/04/07 12:18 PM >>> Tom Greaser wrote: > How can i set my capture to allow me to put in just part of the > ethernet address ? > > i read the wiki and since i have HIGH volumes of data (gig links > running at 15-50 meg) > id like to do more than just the filter "mulitcast" > i will if i have too.. > > i know the source mac always ends in 0007 A capture filter of ether[10:2] == 0x0007 will check bytes 10 and 11 (the first byte being 0) of the packet against 00:07; that checks the last 2 bytes of the source MAC address. See the tcpdump/WinDump man page for capture filter details; look for "expression" to find the description of filters, and look for "expr relop expr" for a description of the syntax of general comparisons such as that. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] capture filter
Im weak at filters... can someone point me in a good direction.. Im trying to find a LAYER 2 multicast issue on the network. that ask luck would have it.. pops up at different times every day.. The only reason i know of this "issue" some of the switches log the error.. C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET and Cisco's fix.. find the sender and fix it.. so im trying to track it down.. but .. i get a few different multicast souce addresses How can i set my capture to allow me to put in just part of the ethernet address ? i read the wiki and since i have HIGH volumes of data (gig links running at 15-50 meg) id like to do more than just the filter "mulitcast" i will if i have too.. i know the source mac always ends in 0007 Thanks for any help / direction.. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] Bandwidth Graph post capture
you look at ntop or cacti ? or are you wanting to get a capture from someone / somewhere else and do a graph ? just saying there might be the tool for that job already made.. good luck. >>> BeCoOL BoNH <[EMAIL PROTECTED]> 12/05/06 11:54 AM >>> Hello guys ! First, thanks for your great tool, it's really useful for my job. Now my question is : has anybody found a tool, other than Wireshark, where you can draw a bandwidth graph after a post capture filter. Yeah like the I/O graph but I need one more precis where you can export the values, see the bandwidth over 3 hours and more without scrolling, with absolute time, kbit unit etc... I know it's Christmas soon, maybe I ask too much but thanks if you can help me :) Best regards. ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] How to find the application sending a namerequest?
sorry if this was already said.. but have you run active ports ? http://www.sofotex.com/Active-Ports-download_L703.html if you see a svchost.exe.. im not a windows users so im not sure how to dig into to find what all that .exe is running... >>> Bob Frottner <[EMAIL PROTECTED]> 10/31/06 11:45 AM >>> Thanks for the suggestion, Jack! I have tried nbtstat - RR ipconfig /flushdns ipconfig /registerdns but no success. Do you have any more ideas? How can I flush WINS? - Everyone is raving about the all- new Yahoo! Mail. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users