Well, you don't need a mirror to see broadcasts from the same VLAN. If you want to see broadcasts on any/all vlans, obviously you'll need some visibility into each of those. I'm not sure about the tagging issue. I've seen cases where setting the "native" VLAN does actually work due to bugs. If you're confident it's working (the untagged port) and you're seeing "all" broadcast traffic from VLAN14 - then I'm not sure what's up.
Another solution that may work - but requires SNMP. You can poll the MIB value for broadcast traffic and monitor the rate. If it goes about "x" you can generate an email or whatever - depending on what app you use. Since it's broadcast traffic you can poll any port on that VLAN. Also, does your device support any broadcast suppression / storm control? Most vendors support some sort of rate limiting for broadcast traffic, and can also alert you (SNMP, HTML, etc.) if that threshold is violated. I work almost exclusively with Cisco, but some HP, Nortel, 3Com. The lower end stuff I don't touch much. Also, any type of intelligent sniffer (Sniffer, Network Observer, etc.) can also detect broadcast storms. For any/all tools, you need to be certain the NIC in said tool has an accurate view of the network you want to monitor or nothing will work right. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerônimo Bezerra Sent: Monday, April 14, 2008 3:12 PM To: [email protected] Subject: Re: [Ntop] NTOP against Broadcast Storms Hi Gary, my scenario is: LAN <--Fiber uplink VLAN 14 -> Core <- VLAN 14 untagged my ntop | I'm in one untagged port of Core (D-Link 6500) in the same vlan. It's not a mirror, just in vlan 14 without any IP address. As I said in my last email, i'm not worried about what's the source of storm, but how to use ntop to detect before users :) Thanks Jeronimo Gary Gatten escreveu: > Malware on the system? Bad NIC hardware? Many things are possible including > bridging loop. Depending on your switch architecture there are usually > things you can implement on the distribution and core layers to mitigate the > impact of these issues. If you have Cisco stuff I could help, if something > else I can't help much. > > Depending where your nTop box is placed (logically) and how it's actually > seeing the traffic impacts what it can report on; Ie: mirrored uplinks? > Mirrored access ports? Mirrored VLANs? Shared hub? > > Also, what version of STP are you running? PVST+, RSTP, MST? > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Queiroz > Sent: Monday, April 14, 2008 12:56 PM > To: [email protected] > Subject: Re: [Ntop] NTOP against Broadcast Storms > > Hi Jerônimo, > > There is no reason a computer could send 11K packets of ARP, except > there is a switching loop there. > > Say, do you use in your network those small and cheap switches, said, > DLink DES-1008, Encore ENL-901NWay, etc.? > > When these devices are installed directly on user's rooms, it's easy > that the users change the way the cables are mounted, and create > switching loops. I passed this problem myself... > > PS/Off-topic: Sou do Rio de Janeiro, se quiser posso te ajudar a > identificar o ponto onde está acontecendo esse loop. > > 2008/4/14, Jerônimo Bezerra <[EMAIL PROTECTED]>: > >> Hello All, >> >> i'm sorry for comma, my intention was tell 11 000 pps :) Follow my scenario: >> >> 80 VLANs and each of then with 100 until 600 computers; >> my ntop's NIC is tagged to 3 vlans ( 14, 145, 137 ); >> some unmanaged switchs, some hubs, e some managed switchs on each vlan; >> >> In one vlan ( 145 ) one computer was sending 11 000 pps of ARP >> broadcast, and my ntop was telling me just 300 pps. That's my question: >> why 300 pps? >> My core router was 99% of CPU. >> >> Jeronimo >> >> Graeme Fowler escreveu: >> >> >>> On Mon, 2008-04-14 at 11:06 -0500, Gary Gatten wrote: >>> >> > >> >> 11 or 100 pps is nothing - not even close to anything to worry about. A >> 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control >> features default to several thousand pps, so really - 11 or a 100 is a tiny >> fraction of a percent or available bandwidth. >> >> >> > >> > I think Jeronimo's email ost a bit in translation - it was 11kpps, >> > phrased as "11.000 pps". Not every written language uses a comma as a >> > decimal separator for positive powers of ten :) >> > >> > >> >> Switching Loops don't cause broadcast storms. If there is a loop it >> won't be found looking for excessive broadcasts. >> >> >> > >> > Loops in ethernet networks cause all manner of lunacy, because they >> > amplify anything that isn't unicast. After some time (depending on >> > hardware), they amplify unicast too as the L2 devices involved age out >> > or conflict out their MAC tables; once most switches see MAC addresses >> > on several ports they can get a little confused! >> > >> > Jeronimo - you gave no indication of your network topology, and only a >> > vague description of what happened so it's tricky to tell you why you >> > didn't see the problem with ntop. >> > >> > Graeme >> > >> > _______________________________________________ >> > Ntop mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in > 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
