Jump to content
Light-O-Rama Forums

I need a network GURU (non LOR)


LOR Staff

Recommended Posts

Well, sort of non-LOR.

 

For some reason, something in my lab has decided to go on a 'network flood'.  I've captured a bunch of packets, and the flood appears to be a bunch of 'MAC Flow Control' Pause Sending frames, with a quanta of 0 (unpause).

 

It appears that the packets are either originating or terminating with a single computer on the network.  I can tell because I see the light on the switch just flashing its little head off for that particular computer.  I've used the Microsoft Network Monitor to capture a bunch of frames.  I've attached 11 of them here.

 

Can anyone give me a clue as to what the heck is happening?  I know enough about networking to be dangerous, and I know next to nothing this close to the metal (frames).fb.zip

Link to comment
Share on other sites

So I poked around some more...

 

It's a single computer that is doing it, the one I posted the capture from.

 

I have a big network (well relatively), but nothing complicated.  Just 4 switches and a router (for the outside world).  Everything inside runs on a single subnet on those.  All the switches sit directly off the router but 1 (which is cascaded from an upstream switch).  All of them are dumb, non-managed.

 

I'm pretty sure it's that this NIC doesn't like this particular switch.  It's a GB NIC, and when I connect it to this particular GB Switch is when I get the flood.  If I hook it up to the other GB switch, or one of the other 100MB switches, it's fine.

 

In fact, right now I have the computer running on the other GB switch which is cascaded to the GB switch it has a problem with, which is cascaded up to the router.  No flood.  Swapping cables does not effect anything. 

 

FiOS->GB Switch 1->Problem Computer - FLOOD!

FiOS->GB Switch 1->GB Switch 2->Problem Computer -- all OK

FiOS->100MB POE->Problem Computer -- all OK

FiOS->100MB WAP Switch->Problem Computer -- all OK

 

The 2 just don't seem to like each other.

Link to comment
Share on other sites

Ok, I missed that moving the computer over to the other GB switch cleared the problem. So, I am editing out my useless comment.

Edited by Max-Paul
Link to comment
Share on other sites

In the tech world I work in, any computer that is causing ANY bandwidth issue should be taken off the network, Run a malware bytes scan as well as 2 different antivirus.

Also check the driver for the card on the flooding computer. there is the possibility of the 2 hardwares not talking nicely, but that chance is rare. :)

 

Just my 2cents.

Link to comment
Share on other sites

I'm not aware of any reason that malware would mess with spanning tree. There really is nothing to be gained unless you are trying a denial of service attack. And this was way too clumsy to be an effective large scale denial of service attack. Plus, what malware behaves differently depending on the switch it is plugged into?

Link to comment
Share on other sites

I'm not aware of any reason that malware would mess with spanning tree. There really is nothing to be gained unless you are trying a denial of service attack. And this was way too clumsy to be an effective large scale denial of service attack. Plus, what malware behaves differently depending on the switch it is plugged into?

 

Exactly.  It's just going to be one of those 'what the HECK??!!' kind of things.  I would blame the switch, but everything else connected to it works fine.  I'd blame the NIC, but it works connected to a different switch.  I've looked at a large number of frames, and I don't see anything unusual -- just normal network chatter (announces, requests, etc and the occasional ping of Dropbox).  The only weird thing is the back and forth 'HOLD IT!', 'NO OK GO!' these 2 like to smack each other with when hooked up to the D-Link switch.

 

I have to look in my POOP (Pile Of Other Parts) to see if I have a different GB NIC I can try.

Link to comment
Share on other sites

What about (I'm doing process of elimination diag here) another computer at that cable, at that port, on that switch ? (EVERYTHING the same into that port on that switch except, a different computer). (easier to try than switching network cards)

 

I have in my junk (POOP, LOL love it) pile 3 smaller dumb switches, that have one bad port each. guess what they do..... packet storm the network, when THAT port is utilized.....

 

 

IF it still does it..( that port) then try a different cable, IF there is in wall wiring, then ALSO try bypass it with a long cable, OR moving the suspect computer to the switch for a test)

 

I have seen the following....  brown and green pair reversed (will still do 100/full on blue and orange pair being correct), BUT, will chatter, HOWEVER, the brown set is used for a strange HARDWARE handshake on some inexpensive switches (older linksys and D-link are common ones).

 

Something about  (Their) exclusive "speed" ability when using ALL the parts in the network chain  (switch , card, & router being faster than other mfg's).

 

Older 3-Com stuff was like this also, if you used 3C switch and 3C network cards, somehow they (as a set) would out preform others in data speed tests. switch the brown/ green pair somewhere between and POOF !! data storm @!@

 

 

 

Just trying to help.

 

Greg

Edited by a31ford
Link to comment
Share on other sites

I had a problem with some of the Adobe products creating a file server out of my computer; seems in order to get quick download times, they store software on YOUR computer and access it with their file management software (download manager) and you become a personalized file server for Adobe.

 

See Akamai Download Manager: http://helpx.adobe.com/x-productkb/policy-pricing/akamai-download-manager-faq.html

 

and: http://www.shouldiremoveit.com/adobe-download-manager-6550-program.aspx

 

The sales brochure: http://www.akamai.com/dl/brochures/Product_Brief_Sola_DLM.pdf

 

Akamai has their own servers, but also uses your computer to help deliver software to their customers: http://www.akamai.com/html/technology/index.html

 

I saw a lot of internet traffic going to places unknown to me and after uninstalling it, network traffic went back to normal.

 

From Wikipedia: "However, this software operates not merely as a download manager (delivering content from the Internet to the user's computer) but also as a peer-to-peer server, delivering content cached on the user's computer to other users' computers"

 

Just offering a suggestion.

Edited by Ken Benedict
Link to comment
Share on other sites

For anyone suggesting that this is malware, or even BitTorrent style traffic, go download the sample, and examine it. It isn't even network layer traffic. There are no IP addresses. It is all Data Link layer traffic. The source address is the MAC address for broadcast, and the destination is the MAC address for spanning tree.

Either something about this NIC or driver is really throwing the switch firmware for a loop, or something about the switch is throwing the NIC firmware or driver for a loop. Nothing more. Where I work, I am obligated to report things that look like security events to a couple of other teams. The attached packet capture wouldn't even catch anyone's attention except to update drivers and/ or firmware until it went away, or change where things plugged in, as above. If it persisted, the vendors would be engaged, just to figure out how to solve it before we saw more of it elsewhere.

Link to comment
Share on other sites

Check to see that NIC and switch port are set to auto.

Sometimes there are issues when one is set to auto and the other is set at a speed/duplex.

You can also check the logs on the switch to see if there are any CRC errors.

Link to comment
Share on other sites

  • The topic was locked
Guest
This topic is now closed to further replies.
×
×
  • Create New...