This looks a bit dodgy, It looks like the SAPS should
be 00, 00. But the Analyser is mis-representing the
info- .
What type of analyser is producing this decode ?
Can you send the hex version of the data ?
Regs,
Phil.
--- Priscilla Oppenheimer wrote:
> At 01:45 AM 6/27/01, Ramesh c wrote:
> >More input
> >
> >Today I analzsed the network for 45 minutes of
> which 5500 packets were
> >caught of which 4100 were Broadcast(1650) and
> multicast.
>
> That's a lot, but are you capturing on a switched
> port? You will see only
> broadcasts and packets to that port (unless you use
> SPAN).
>
> I can't understand why it says EtherType is 0000,
> especially since it is an
> 803.2 frame. I guess it's just trying to tell you
> that there is no
> EtherType. But what is the SAP?
>
> One of them is in AppleTalk frame. AppleTalk routers
> multicast their
> routing table every 10 seconds, which is a lot and
> could "skew" the data.
>
> Priscilla
>
>
> >Does that sound any caution on my network?.
> >
> >The Broadcast and multicast packets header as
> follows
> >
> >ETHER: ----- Ether Header -----
> >ETHER:
> >ETHER: Packet 88 arrived at 11:20:55.53
> >ETHER: Packet size = 494 bytes
> >ETHER: Destination = ff:ff:ff:ff:ff:ff,
> (broadcast)
> >ETHER: Source = 0:10:7b:b6:ee:a0,
> >ETHER: IEEE 802.3 length = 480 bytes
> >ETHER: Ethertype = 0000 (LLC/802.3)
> >ETHER:
> >
> >ETHER: ----- Ether Header -----
> >ETHER:
> >ETHER: Packet 89 arrived at 11:20:55.59
> >ETHER: Packet size = 494 bytes
> >ETHER: Destination = ff:ff:ff:ff:ff:ff,
> (broadcast)
> >ETHER: Source = 0:10:7b:b6:ee:a0,
> >ETHER: IEEE 802.3 length = 480 bytes
> >ETHER: Ethertype = 0000 (LLC/802.3)
> >ETHER:
> >
> >ETHER: ----- Ether Header -----
> >ETHER:
> >ETHER: Packet 90 arrived at 11:20:55.64
> >ETHER: Packet size = 494 bytes
> >ETHER: Destination = ff:ff:ff:ff:ff:ff,
> (broadcast)
> >ETHER: Source = 0:10:7b:b6:ee:a0,
> >ETHER: IEEE 802.3 length = 480 bytes
> >ETHER: Ethertype = 0000 (LLC/802.3)
> >ETHER:
> >
> >ETHER: ----- Ether Header -----
> >ETHER:
> >ETHER: Packet 91 arrived at 11:20:55.70
> >ETHER: Packet size = 110 bytes
> >ETHER: Destination = ff:ff:ff:ff:ff:ff,
> (broadcast)
> >ETHER: Source = 0:10:7b:b6:ee:a0,
> >ETHER: IEEE 802.3 length = 96 bytes
> >ETHER: Ethertype = 0000 (LLC/802.3)
> >ETHER:
> >
> >ETHER: ----- Ether Header -----
> >ETHER:
> >ETHER: Packet 92 arrived at 11:20:55.88
> >ETHER: Packet size = 52 bytes
> >ETHER: Destination = 1:80:c2:0:0:0, (multicast)
> >ETHER: Source = 0:90:ab:ec:f3:5,
> >ETHER: IEEE 802.3 length = 38 bytes
> >ETHER: Ethertype = 0000 (LLC/802.3)
> >ETHER:
> >
> >ETHER: ----- Ether Header -----
> >ETHER:
> >ETHER: Packet 93 arrived at 11:20:55.94
> >ETHER: Packet size = 45 bytes
> >ETHER: Destination = 9:0:7:ff:ff:ff, (multicast)
> >ETHER: Source = 0:60:b0:54:c1:7e,
> >ETHER: IEEE 802.3 length = 31 bytes
> >ETHER: Ethertype = 809B (EtherTalk (AppleTalk over
> Ethernet))
> >ETHER:
> >
> >--
> >
> >On Tue, 26 Jun 2001 12:58:10
> > Priscilla Oppenheimer wrote:
> > >2100 broadcasts in 30 minutes might be OK,
> actually. Can you tell us how
> > >much bandwidth they are using? Can you tell us
> what percentage of the
> > >packets are broadcasts? A rule of thumb that
> Cisco teaches is that no more
> > >than 20% of your packets should be broadcasts.
> The main problem with
> > >broadcasts is that they interrupt station CPUs,
> but with the high-speed of
> > >CPUs these days, that is less of an issue.
> > >
> > >You seem to be running NetBT, which is NetBIOS
> over TCP/IP. (NetBEUI is
> > >NetBIOS running directly on a data-link, which is
> not what you are
> > >running.) NetBIOS sends lots of broadcasts. In
> this example, the server
> > >CDTOWER is sending a broadcast. You need to find
> out if that is necessary
> > >on your network or not. It seems a bit odd that
> CDTOWER is sending the
> > >frame directly to RND at the NetBIOS layer but to
> a broadcast address at
> > >the network and data-link layers. Sometimes a
> subnet mask misconfiguration
> > >can cause such a problem. Check CDTOWER and RND's
> configs.
> > >
> > >The last byte of a NetBIOS name tells you what
> kind of device it is.
> > >CDTOWER ends with x20, which means server, if I
> remember correctly. RND
> > >ends with 0x0 and I have forgotten what that
> means and my NetBIOS
> > >documentation is packed away. But you could find
> this somewhere on the Net
> > >or one of our esteemed colleagues probably knows.
> > >
> > >I don't recognize the other broadcast packets.
> They have an 802.3 length
> > >field of 0 even though there's data in the
> packet. It sounds like a bug?
> > >Would it be possible to find the station sending
> them (0:8:c7:d2:4a:ab)
> and
> > >check its configuration?
> > >
> > >Priscilla
> > >
> > >At 05:20 AM 6/26/01, Ramesh c wrote:
> > >>I did a kind of traffic study on my network and
> here it goes....
> > >>
> > >>1)I get about 2100 broadcast packets in
> 30minutes.Does that sound a
> > alarm in
> > >>my network?
> > >>
> >
>
>>---------------------------------------------------------------------
> > >>2)Most of the Broadcast of this type...
> > >>57 0.03870 10.65.2.192 -> 10.65.2.255 NBT
> Datagram Service Type=17
> > >>Source=CDTOWER[20]
> > >>
> > >>ETHER: ----- Ether Header -----
> > >>ETHER:
> > >>ETHER: Packet 57 arrived at 14:44:47.57
> > >>ETHER: Packet size = 266 bytes
> > >>ETHER: Destination = ff:ff:ff:ff:ff:ff,
> (broadcast)
> > >>ETHER: Source = 0:60:b0:b6:b2:62,
> > >>ETHER: Ethertype = 0800 (IP)
> > >>ETHER:
> > >>IP: ----- IP Header -----
> > >>IP:
> > >>IP: Version = 4
> > >>IP: Header length = 20 bytes
> > >>IP: Type of service = 0x00
> > >>IP: xxx. .... = 0 (precedence)
> > >>IP: ...0 .... = normal delay
> > >>IP: .... 0... = normal throughput
> > >>IP: .... .0.. = normal reliability
> > >>IP: Total length = 252 bytes
> > >>IP: Identification = 22165
> > >>IP: Flags = 0x0
> > >>IP: .0.. .... = may fragment
> > >>IP: ..0. .... = last fragment
> > >>IP: Fragment offset = 0 bytes
> > >>IP: Time to live = 64 seconds/hops
> > >>IP: Protocol = 17 (UDP)
> > >>IP: Header checksum = 091c
> > >>IP: Source address = 192.65.2.192,
> 192.65.2.192
> > >>IP: Destination address = 192.65.2.255,
> 192.65.2.255
> > >>IP: No options
> > >>IP:
> > >>UDP: ----- UDP Header -----
>
=== message truncated ===
____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10390&t=9944
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
