This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Every couple of weeks our network gets hit by a pause frame flood that effectively brings down our entire network. This has happened at least five times now since I started my new job as sole IT-technician at a manufacturing plant. Our network is entirely made up of dumb L2 switches so locating the offending device has proven to be tricky.

So far I have only managed to find which port on our central patch panel the packet are coming from, . Pulling the TP-cable instantly brings the rest of the network back up. The flood lasts for about 30 to 45 minutes, after that I can plug the cable back in and everything looks normal again, like nothing ever happened.

So, I was hoping that somebody here maybe has some knowledge of what might be going on.

Every frame looks like this, and as you can see the source MAC isn't even a real MAC address, but instead spells out REALTK in ASCII.

0000  01 80 c2 00 00 01 52 45  41 4c 54 4b 88 08 00 01   ......RE ALTK....  
0010  ff ff 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........  
0020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........  
0030  00 00 00 00 00 00 00 00  00 00 00 00               ........ ....

I would really appreciate if somebody could shed some light on this.

asked 16 Mar '13, 09:52

JonC's gravatar image

JonC
6112
accept rate: 0%

If you haven't already done so, a web search for the terms "spanning tree for bridges", "pause frame" will find hits about pause frame floods & etc. which may be of help.

Also search "ethernet pause frame" "flood"

(16 Mar '13, 10:35) Bill Meier ♦♦

It is a real MAC address, just not what we're used to. It has the Locally Administered bit set, so it's up to the network administrator to make sure it's unique within the realm of the network.

That's the theory at least, in reality I think it's just a reference to a Realtek network interface.

The fact that it affects your whole network tells me that the switches used are not 802.1D compliant, otherwise they would have trapped these pause frames.

The fact that it lasts a good half an hour means that some network device got it panties in a bunch. With this 'made up' source mac address it's not easy to find out which. At least you know from which uplink it comes, so it's just a matter of tracking it down from there. To give you time to do that get yourself a 802.1D compliant switch and patch it in between the central patch panel and the offending uplink. That at least would isolate the problem so only part of the network would be affected. Make sure to test out this switch with ethtool or alike before patching it in.

permanent link

answered 16 Mar '13, 10:50

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×9
×8
×3

question asked: 16 Mar '13, 09:52

question was seen: 5,701 times

last updated: 16 Mar '13, 10:50

p​o​w​e​r​e​d by O​S​Q​A