Transcript LOOPing - The Technology Firm

Broadcast Analysis - Looping Packets
Tony Fortunato
The Technology Firm
[email protected]
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
Symptoms And What The Experts Say.
 Client has intermittent ‘slow downs’.
 Protocol Analyzer was connected to a switch port. No mirroring/spanning.
 As part of the broadcast investigation process, broadcast packets were inspected
along with Expert feedback.
 Most common red herring is taking the Expert feedback literally and believe there are
duplicate IP’s and client/router mis-configurations.
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
2
NAI Sniffer Pro Results
The following screen captures show that the Sniffer reports Duplicate Network Address
and Router Storm.
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
3
NAI Sniffer Pro – The Investigation
A “Display Filter” was defined to
display the duplicate packets.
Modify the “Display Setup” to show
the IP layer and disable ‘Show
Network Addresses’.
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
4
NAI Sniffer Pro – The Packets.
 After applying our filter, I noticed that the Frame Number started at 1, so I noted the
ID number and removed the filter.
 I notices that the first packet was from the real client (00306e1c0449), the next 127
packets were duplicates sent by an ASN router interface (00-00-a2-cc-6d-d9).
 The key here is that the other packets have the same IP Identifier (3129).
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
5
Fluke Protocol Expert
 The Protocol Expert is reporting, ‘Excessive Mailslot Broadcasts’, ‘Router Storm’ and
‘IP Time To Live Expiring’
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
6
Fluke Protocol Expert – The Investigation
By reviewing the
Capture View ->
Duplicate
Addresses, you
can see that the
BAY MAC
consistently
comes up.
Modify the “Capture View Display Options” to
show the IP layer and disable ‘Show Network
Addresses’.
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
7
Fluke Protocol Expert – The Investigation
A “Display Filter” was defined to display the
duplicate packets.
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
8
Fluke Protocol Expert – The Packets
 After applying our filter, I noticed that the Frame Number started at 0, so I noted the
ID number and removed the filter.
 I noticed that the first packet was from the real client (00306e1c0449), the next 127
packets were duplicates sent by an ASN router interface (00-00-a2-cc-6d-d9).
 The key here is that the other packets have the same IP Identifier (3129).
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
9
Conclusions
Regardless of which tool you use, you will see the same basic pattern:
 Looping packets delivered by the BAY MAC address.
Possible explanations:
 A device with two network cards is causing a routing loop.
 A device with a specific routing misconfiguration like IP Forwarding.
 Router has a generic UDP packet forwarding command causing these loops.
Possible next steps:
 Review router configuration for UDP forwarding commands.
 Place the analyzer on the same switch port as the router port to see if another device
is relaying these UDP packets to it.
 In this example the client experienced a router misconfigured for UDP flooding.
© 2002, The Technology Firm
WWW.THETECHFIRM.COM
10