This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

high packets per second under LLC protocol

0

Greetings all, I was doing a sniff with wireshark and noticed my network was sending between 400-800 packets per second with over 98% of them under the 'OTHER' label when sniffing. They were labeled with the protocol LLC and my log was flooded with the screenshot below.

Can anyone provide some insight as to what may be causing so many packets being generated on my network?

Thank you

alt text

asked 12 Jun '13, 09:30

billjackson's gravatar image

billjackson
5114
accept rate: 0%


2 Answers:

1

I would say, that the device with the MAC address 'ASUSTEKC_e7:0b:5e' is broken and thus it sends 'unstructured' data to the network (due to a broken driver or a broken NIC). Wireshark tries to decode that data as best as it can. And just by chance it decodes the packets as LLC and X.25.

Please identify that device on the network (you can use the switch 'CAM table' to find the port) and then figure out what's wrong with that device.

Maybe a simple reboot fixes the problem (if it is caused by a crashed driver).

Regards
Kurt

answered 12 Jun '13, 12:46

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Jun '13, 13:20

thank you Kurt Knocher, you are helpful. how do I give you karma too? i already gave some to Klodovic

(12 Jun '13, 12:57) billjackson

you can't as you don't have any karma left. "giving" extra karma, means donating some of your own karma.

If you select one answer as the correct one by using the check mark (after thoroughly checking its value) you can give 25 extra karma points to the one who helped you most with the his answer. Please see the FAQ.

(12 Jun '13, 13:08) Kurt Knochner ♦

1

Check out source MAC address of packets to determine which device is the source of unwanted traffic.

answered 12 Jun '13, 12:03

klodovic's gravatar image

klodovic
42116
accept rate: 0%

the source shows ASUSTEKC_e7:0b:5e , also i have over 100 devices on site here!!

(12 Jun '13, 12:16) billjackson

trace the ASUSTEKC_e7:0b:5e MAC address on your network segment to see on which switch and on which port of that switch is the ASUSTEKC_e7:0b:5e connected

(12 Jun '13, 12:35) klodovic