OSTU: How to Start a Broadcast Analysis - Part One (Tony Fortunato)

© 2009 www.thetechfirm.com

Examining

How to start a Broadcast Analysis

Part 1

Tony Fortunato, Sr Network SpecialistThe Technology Firm


Why Bother

Broadcasts can cause;

Network slowdowns

Rebooting or Frozen PC’s

Unreliable WIFI

Unpredictable application or window client performance

Extra ‘space junk’ that you need to sift through when troubleshooting

I have seen10% broadcast storm ‘lock up’ WInterms, while a 90% broadcast storm did nothing

In most cases, a broadcast or multicast packet will result in an interrupt on your PC


How

People always ask me how could 10% packet rate cause an issue. Then I explain that we generated 2 loads with a traffic generator;

90 % broadcast rate No noticeable issue

10 % broadcast rate PC’s locked up or hung

Here are the number of theoretical number of packets you can generate, depending on packet size and media speed 90%, 1518 Byte packets on 100 MB link = 7,411 packets/second 10%, 64 Byte packets on 100 MB link = 19,531 packets/second

In many cases you can REDUCE broadcasts, not eliminate them

Bandwidth 64 128 256 512 1,024 1,518 1,544,000 3,016 1,508 754 377 188 127

10,000,000 19,531 9,766 4,883 2,441 1,221 823 100,000,000 195,313 97,656 48,828 24,414 12,207 8,235

1,000,000,000 1,953,125 976,563 488,281 244,141 122,070 82,345


Common Networks and Related Issues

• In some cases the math may reveal or explain some of your current issues• I still see many flat networks, everything on the same VLAN• There should be separate VLANS for minimally each technology


Sources of Broadcasters

Anything default protocol settings will send out extra broadcast or multicast packets Printers PC’s Routing Protocols Mis-configured standard PC builds

Example of excessive protocols IPX LLC or NetBEUI IPV6, if you are a V4 shop and vice versa STP, if you are not using spanning tree Teaming or load balancing protocols UPNP RIP New Microsoft Peer to Peer protocols


Now what? How can I find out if I have this problem, or clean it up?

Protocol Analyzer is the easiest tool to use. Start a capture from an idle PC and set a Stop Capture Trigger at 8 MB

Leave the PC alone – Go for lunch you deserve it ;b Come back, and lets review the trace file


Step 1 – What’s out there? For most people, step 1 involves looking at the screen and yelling, “HOLY @#$$@%

$” We’ll try another approach;

Go to Statistics -> Protocol Hierarchy

The hard part of this exercise is to have an idea or guess-timate of what protocols you think should be on the network

It s discouraging when I hear the analyst grumble, ‘I don’t know what that is, but there are only a few of those packets, so lets skip them’

I would hope now that you have the trace file, you can pick away at it whenever you have a moment


Step 2 – Pick a Protocol, Any Protocol this customer does not use IPX for anything, so this would be a good start.

In this case I know this customer does not use IPX for anything, so this would be a good start.


Step 3; Pick An Address, Any Address This is pretty easy now, the Fluke address is their Fluke Optiview , which leaves the

Lexmark mac address. Obviously this is a printer, but what is the IP address, so I can remotely fix it? Simply filter on the Lexmark mac address, and click on the IPV4 tab.


Step 4; FIX IT!!! Make sure your “limit to display filter” is checked off The .255 ip address is just a broadcast address Simply telnet or use a web browser to connect to the printer and clean it up In some cases, you can forward the IP’s to another department, who can do this


Examining

How to start a Broadcast Analysis

Part 1

Thank You

Tony Fortunato, Sr Network SpecialistThe Technology Firm


For additional educational videos on Open Source Network Tools, please click on the following …

http://www.lovemytool.com/blog/ostu.html

LoveMyTool.com – Community for Network Tools