This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Network storm

0

Hi, we seem to be having a network storm every day at 1pm that lasts for an hour, it generates 140k of traffic to every user. Do I have to setup a filter to try and identify? I am new to this so I have no idea where to start!

Steve

asked 09 Mar '11, 11:40

stevewarden0's gravatar image

stevewarden0
1333
accept rate: 0%

2 Answers:

2

If you have a storm, no need to filter, it will stand out in the tracefile :-)

Just look for stuff that's repeating itself. Watch for the "IP TTL" and "IP id" to see whether it is a L2 storm (IP TTL and IP id stay the same) or a L3 loop ("IP TTL" decreases and "IP id" changes).

Look at the source mac and IP address to track the source of the storm and then look at the L2 / L3 design of your network to find your loop.

answered 09 Mar '11, 11:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Wouldn't L3 loop eventually die out when TTL dropping down to zero?

(11 Dec '12, 00:41) xkgt

Can share the string to capture "IP TTL" and "IP id"?

(27 Jan '14, 02:26) gamermic

1

If the symptom can be observed "every day" it sounds like a time-triggered batch job. We have observed similar behavior caused for example by

  • Software distribution / updates
  • Virus pattern update
  • Hardware / software inventory recording
  • Network management systems collecting information

Can you post traffic for a single workstation on cloud shark?

answered 11 Dec '12, 12:51

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%