1 / 10

Broadcast Analysis - Looping Packets

Broadcast Analysis - Looping Packets. Tony Fortunato The Technology Firm. info@thetechfirm.com. Symptoms And What The Experts Say. Client has intermittent ‘slow downs’. Protocol Analyzer was connected to a switch port. No mirroring/spanning.

gregorymorgan
Download Presentation

Broadcast Analysis - Looping Packets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Broadcast Analysis - Looping Packets Tony Fortunato The Technology Firm info@thetechfirm.com

  2. Symptoms And What The Experts Say. • Client has intermittent ‘slow downs’. • Protocol Analyzer was connected to a switch port. No mirroring/spanning. • As part of the broadcast investigation process, broadcast packets were inspected along with Expert feedback. • Most common red herring is taking the Expert feedback literally and believe there are duplicate IP’s and client/router mis-configurations.

  3. NAI Sniffer Pro Results The following screen captures show that the Sniffer reports Duplicate Network Address and Router Storm.

  4. NAI Sniffer Pro – The Investigation A “Display Filter” was defined to display the duplicate packets. Modify the “Display Setup” to show the IP layer and disable ‘Show Network Addresses’.

  5. NAI Sniffer Pro – The Packets. • After applying our filter, I noticed that the Frame Number started at 1, so I noted the ID number and removed the filter. • I notices that the first packet was from the real client (00306e1c0449), the next 127 packets were duplicates sent by an ASN router interface (00-00-a2-cc-6d-d9). • The key here is that the other packets have the same IP Identifier (3129).

  6. Fluke Protocol Expert • The Protocol Expert is reporting, ‘Excessive Mailslot Broadcasts’, ‘Router Storm’ and ‘IP Time To Live Expiring’

  7. Fluke Protocol Expert – The Investigation Modify the “Capture View Display Options” to show the IP layer and disable ‘Show Network Addresses’. By reviewing the Capture View -> Duplicate Addresses, you can see that the BAY MAC consistently comes up.

  8. Fluke Protocol Expert – The Investigation A “Display Filter” was defined to display the duplicate packets.

  9. Fluke Protocol Expert – The Packets • After applying our filter, I noticed that the Frame Number started at 0, so I noted the ID number and removed the filter. • I noticed that the first packet was from the real client (00306e1c0449), the next 127 packets were duplicates sent by an ASN router interface (00-00-a2-cc-6d-d9).   • The key here is that the other packets have the same IP Identifier (3129).

  10. Conclusions Regardless of which tool you use, you will see the same basic pattern: • Looping packets delivered by the BAY MAC address. Possible explanations: • A device with two network cards is causing a routing loop. • A device with a specific routing misconfiguration like IP Forwarding. • Router has a generic UDP packet forwarding command causing these loops. Possible next steps: • Review router configuration for UDP forwarding commands. • Place the analyzer on the same switch port as the router port to see if another device is relaying these UDP packets to it. • In this example the client experienced a router misconfigured for UDP flooding.

More Related