This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

UDP Flooding

0

Hi, Just want to ask it is normal UDP traffic like this?

http://img716.imageshack.us/i/vlan203guest22102010.jpg

my network became very slow after this happen in my network, the strange is why so many traffic with IP 172.16.5.1 but using many different MAC ADDRESS?

since I'm new with Wireshark i dunno it is serious problem or not but my network getting very slow.

if broadcast address is 255.255.255.255 would it be broadcast in network 172.16.5.0 or it can be broadcast in all different network in one vlan? my network in 172.16.2.0 its very slow, it is possible because of this?

This question is marked "community wiki".

asked 23 Oct '10, 08:46

neoplasma's gravatar image

neoplasma
1111
accept rate: 0%

edited 23 Oct '10, 12:16

Jaap's gravatar image

Jaap ♦
11.7k16101


7 Answers:

0

First in answer to your broadcast question: broadcast traffic should be isolated to a single vlan (also called a broadcast domain). You can see exceptions to this rule with vlan bleed -- where two access ports with different vlan tags are connected back-to-back -- but this is changing the physical architecture and not the behavior of broadcast traffic.

As to your UDP traffic question, this is no normal behavior. I would investigate the 172.16.5.1 device and see what service or application is listening on the 7102 port. Perhaps you have a misconfiguration in the app that has a destination of the broadcast address?

You mention that the mac address is changing but it is impossible to see this in your example image -- is there any pattern to it?

answered 24 Oct '10, 06:16

Peter's gravatar image

Peter
65127
accept rate: 0%

0

so if i have single vlan with 2 network (172.16.2.0, 172.16.5.0) the broadcast trafic 255.255.255.255 will be afect on both network right?

172.16.5.1 is a door lock system server wich is connect to room hotel, device at room hotel using serial to IP converter to connect with their server (172.16.5.1) by default the device in room doesn't have ethernet port so we use serial to IP converter to conect with server.

in my images above all the source IP is came from 172.16.5.1, but if i look detail on source MAC Address its came from all ip converter from room hotel. so all device in room hotel using ip address 172.16.5.1 and broadcast on 255.255.255.255

answered 24 Oct '10, 06:39

neoplasma's gravatar image

neoplasma
1111
accept rate: 0%

Yes, the broadcast traffic from both 172.16.2.0 & 172.16.5.0 will be visible to both if you are using secondary IP address on the same vlan.

How are the serail-to-IP converters configured? Do they get IP addresses from a DHCP server? I'm not sure I'm following your last paragraph -- could you re-state what is going on with the converters?

(24 Oct '10, 08:32) Peter

0

Yes, the broadcast traffic from both 172.16.2.0 & 172.16.5.0 will be visible to both if you are using secondary IP address on the same vlan.

ok then i asumme that udp broadcast from 172.16.5.1 is the main cause my network in 172.16.2 getting very slow, at least now im confident since vendor from door lock system doubt my analys lol

How are the serail-to-IP converters configured? Do they get IP addresses from a DHCP server? I'm not sure I'm following your last paragraph -- could you re-state what is going on with the converters?

i duno much bout the converter since they are manage by other vendor but im sure the converter using static IP address, i'll ask them tomorow how its works, btw in my last paragraph i mean that many converter in room hotel use the same ip address (172.16.5.1) as capture in wireshark, for example frame number one came from source ip address 172.16.5.1 with mac address 00:11:22:4d:09:3b and frame number two came from source ip address 172.16.5.1 with mac address 00:11:22:4d:09:5b and so on, i think its realy weird, ok thanks peter, i'll update tomorow, sory for my terible english:)

answered 24 Oct '10, 10:34

neoplasma's gravatar image

neoplasma
1111
accept rate: 0%

0

Hi peter i already solve the problem with shutdown all converter in villa:)

but my question is why this problem only hapen if user on villa connect to the internet through wifi? i already try with other access point and the result is the same, is user conected their laptop using cable direct in to the switch there is no problem with connection eventhough all converter is on

answered 26 Oct '10, 09:47

neoplasma's gravatar image

neoplasma
1111
accept rate: 0%

0

Wifi has less bandwidth available then hard-wire (11Mb or 54Mb generally for 802.11a/b/g). Also wireless operates differently including: operating at half-duplex, not full and uses a CSMA/CA method of controlling access to network resources while wired Ethernet uses CSMA/CD.

This difference may seem small at first, but can have dramatic affects on performance particularly in situations with large amounts of broadcast traffic. Wireless is easy to setup (poorly), but requires a lot of planning and design to do correctly.

answered 26 Oct '10, 10:17

Peter's gravatar image

Peter
65127
accept rate: 0%

0

I notice that UDP port 7102 is used by some online games (Dungeon Fighter Online from Neople) - are you playing those?

answered 26 Oct '10, 10:33

wesmorgan1's gravatar image

wesmorgan1
411101221
accept rate: 4%

0

thanks peter for your great explaination, i know that my wifi bandwidth is smaller than wire, i just think that its not significant but now i know it can be dramatic effect:)

@wesmorgan no dude, udp port 7102 is used by aplication in my local network.

ok thanks guys for your help, case closed:)

answered 27 Oct '10, 07:50

neoplasma's gravatar image

neoplasma
1111
accept rate: 0%