This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

need to find Broadcast source.

0

Hi,

I am Facing Issue like My Full network goes down for few minute (5 to 10) twice in day, during this period i am not able to ping any local system also, i guess it may be because of broadcast.

is it able to find the Source of broadcast via Wireshark ?

asked 17 Aug '16, 01:11

May5799's gravatar image

May5799
6112
accept rate: 0%

yes sir i already check all Up link, its happens for few min only because of this unable to find the same. i found lot of traffic on wireshark at the same time but unable to find the Source.

(17 Aug '16, 02:08) May5799

What kind of switches do you use(manufacturer)?

(17 Aug '16, 02:28) Christian_R

Cisco SG300 and Cisco 3850

(17 Aug '16, 03:05) May5799

Have changed something in the last time? Config, Firmware, topology? Have all sg300 the same firmware version? You can eliminate at your own risk the redundancy for about 24h and see if the network has the same failure. I still think you have a loop. The sg300 is able to stop broadcast storms and loops. I guess that ends your loops.

(17 Aug '16, 03:40) Christian_R

Hi Christian,

thanks for update, there is no change in network only change is we have procuring new 150 systems and those only install in our network it was the last activity, but still i will check the all loops of on all switches again and let you know.

(17 Aug '16, 04:26) May5799

Please check if all sg300 have the same firmware version.

(17 Aug '16, 04:34) Christian_R

Hi Christin,

thanks for Update there is no change in network, we have putting new 150 system in network is there any possibility this is happen because of this. i will check the all loops of all switches and let you know. we have not updated any firmware. is D-Link switches are able to create this kind of issue.

(17 Aug '16, 04:57) May5799

yes I Will check..

(17 Aug '16, 05:11) May5799

Every switch with more than 1 uplink has the capability. But some switches have the capability to allow more than 1 uplink by the use spanning tree for example, this is standard nowadays.

So I think your new switches use newer firmware. You should bring all switches to the same (newest) firmware. And the dlink switch can be the cause of the problem, too. It depends were he resides in the topology.

(17 Aug '16, 05:14) Christian_R

yes thanks for your Valuable update i will do the activity and let you know the status.

(17 Aug '16, 05:17) May5799

Hi,

m not able to found any loop, we have done scanning all system in our organization but facing the same issue. is it able to find via wireshark??

(18 Aug '16, 01:41) May5799

Wireshark shows you the Ethernet frames. If a frame has a broadcast destination MAC address, each switch which receives it through one port sends it to all other ports. (This is the reason why uncontrolled loops are so dangerous. Looped physical connections can only be used if STP or RSTP is used to detect them and dynamically disable one of the connections making up a loop).

So in Wireshark, you can apply a display filter eth.dst == ff:ff:ff:ff:ff:ff and look at the frames which remain. If they all have the same source MAC address, it can be the source of the broadcast storms, but it is not very likely. Try that and tell (or, better, show) us the result.

To create a loop, it is enough to connect two switches using more than one cable without properly configuring LAG (or port channel) or STP (RSTP).

(18 Aug '16, 02:50) sindy

I mean you have seen it already as a massive broadcast storm.

(18 Aug '16, 03:26) Christian_R

no i am enable to find this kind of thing in wireshark.

(18 Aug '16, 20:39) May5799

Oh, seems that I misunderstood your question. I thought you see a huge amount of broadcasts during the incident. But you don't see any broadcast. Am I right?

(18 Aug '16, 23:07) Christian_R
showing 5 of 15 show 10 more comments

One Answer:

0

Sounds mir like a Loop in the network. Have you already checked all uplinks for CRC failures?

answered 17 Aug '16, 01:44

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%