Ich bin nicht unser normaler Netzwerk-Typ ... Ich wurde gerade eingezogen, um bei diesem Problem zu helfen. Bitte nehmen Sie Kontakt mit mir auf.
Wir haben ein ziemlich großes Netzwerk (~ 4.000 Geräte?), Das hauptsächlich aus HP Procurve-Geräten besteht. In den letzten Wochen gab es von Zeit zu Zeit einige Broadcast-Stürme, die so gut wie verhindern, dass der gesamte andere Datenverkehr über das Netzwerk gesendet wird. Ich habe Wireshark für 5-MB-Dumps eingerichtet und heute Morgen etwas davon auf frischer Tat ertappt.
Sie können die Paketerfassung herunterladen . Der Spaß begann bei Paket Nr. 23968. Ein scheinbar fehlerhaftes NBNS-Paket wird immer wieder wiederholt. Es ist jedoch nicht nur eine gerade Schleife. Die Quell- (143.226.8.185) und Ziel-IP-Adressen (143.226.44.79) bleiben unverändert, die Quell-MAC-Adresse ändert sich jedoch. Das erste Paket scheint von einem unbedeutenden Gerät im Netzwerk zu stammen und wird an die Multicast-Adresse 01: 00: 5e: 7f: ff: fa gesendet. Alle Pakete danach stammen von den MAC-Adressen unserer HP Wireless Access Points und werden an eine andere Multicast-Adresse gesendet: 01: 00: 5e: 62: 2c: 4f.
Hier ist das erste Paket:
No. Time Source Destination Protocol Info
23968 122.229240 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]
Frame 23968 (1038 bytes on wire, 1038 bytes captured)
Arrival Time: Sep 15, 2010 08:32:44.329966000
[Time delta from previous captured frame: 0.004744000 seconds]
[Time delta from previous displayed frame: 0.004744000 seconds]
[Time since reference or first frame: 122.229240000 seconds]
Frame Number: 23968
Frame Length: 1038 bytes
Capture Length: 1038 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Address: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
Address: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 7773643D22687474703A2F2F736368656D61732E786D6C73...
Frame check sequence: 0x6f70653e [incorrect, should be 0x30019938]
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 203
Identification: 0x00d0 (208)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xe485 [correct]
[Good: True]
[Bad : False]
Source: 143.226.8.185 (143.226.8.185)
Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 183
Checksum: 0x01db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
NetBIOS Name Service
Transaction ID: 0x4d2d
Flags: 0x5345 (Unknown operation)
0... .... .... .... = Response: Message is a query
.101 0... .... .... = Opcode: Unknown (10)
.... ..1. .... .... = Truncated: Message is truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Broadcast: Not a broadcast packet
Questions: 16722
Answer RRs: 17224
Authority RRs: 8234
Additional RRs: 8264
Queries
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (12081)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (11631)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25701)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25914)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25970)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (18273)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (24953)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (26979)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (3338)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (14882)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28730)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25455)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (8717)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28513)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (29287)
[Malformed Packet: NBNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Hier ist das nächste Paket:
No. Time Source Destination Protocol Info
23969 122.229836 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]
Frame 23969 (217 bytes on wire, 217 bytes captured)
Arrival Time: Sep 15, 2010 08:32:44.330562000
[Time delta from previous captured frame: 0.000596000 seconds]
[Time delta from previous displayed frame: 0.000596000 seconds]
[Time since reference or first frame: 122.229836000 seconds]
Frame Number: 23969
Frame Length: 217 bytes
Capture Length: 217 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: HewlettP_05:de:da (00:17:a4:05:de:da), Dst: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
Destination: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
Address: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HewlettP_05:de:da (00:17:a4:05:de:da)
Address: HewlettP_05:de:da (00:17:a4:05:de:da)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 203
Identification: 0x00d0 (208)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 127
Protocol: UDP (0x11)
Header checksum: 0xe585 [correct]
[Good: True]
[Bad : False]
Source: 143.226.8.185 (143.226.8.185)
Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 183
Checksum: 0x01db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
NetBIOS Name Service
Transaction ID: 0x4d2d
Flags: 0x5345 (Unknown operation)
0... .... .... .... = Response: Message is a query
.101 0... .... .... = Opcode: Unknown (10)
.... ..1. .... .... = Truncated: Message is truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Broadcast: Not a broadcast packet
Questions: 16722
Answer RRs: 17224
Authority RRs: 8234
Additional RRs: 8264
Queries
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (12081)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (11631)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25701)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25914)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25970)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (18273)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (24953)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (26979)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (3338)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (14882)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28730)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25455)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (8717)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28513)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (29287)
[Malformed Packet: NBNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Verrückt, nein? Wenn Sie die Paketerfassung durchsehen, wird ein Großteil dieses Pakets nach diesem Zeitpunkt wiederholt. Danach geht es weiter und weiter in mehrere weitere Dateien.
Wenn dies eine Schleife wäre, warum würden dann nur unsere APs dieses Paket herumschicken? Diese APs sind auf unserem gesamten Campus verteilt.
Ein bisschen mehr Infos über unser Netzwerk ... Es ist alles flach. Straight Ethernet läuft auf alles und wir haben einen IP-Block der Klasse B. Keine Subnetze. Zwischen unserem Netzwerk und unserer WAN-Verbindung befinden sich ein Packet Shaper, eine Firewall und ein Router.
Wenn Sie diesen Beitrag sehen und er Ihnen bekannt vorkommt, liegt dies daran, dass ich in der Vergangenheit ein ähnliches Problem veröffentlicht habe, das wir noch nicht gelöst haben, aber in letzter Zeit noch nicht gesehen haben. Dies ist bei HP Switches zu finden, die Multi-Cast-Ping-Anforderungen senden .
Vielen Dank für Ihre Zeit!
Bearbeiten: Paket 23968 wird als Auslöser dieses Multicast-Sturms bestätigt. Ich habe dieses eine Paket in unserem Netzwerk wiedergegeben und es erneut gestartet.
Bearbeiten / Aktualisieren:Noch etwas experimentieren. Ich habe einen unserer HP Access Points genommen und direkt an meinen PC angeschlossen. An das Segment ist sonst nichts gebunden. Wenn ich das ursprüngliche Paket, das die Probleme verursacht hat, an den AP wiedergebe, antwortet der AP einmal. Wenn ich die Antwort des AP an den AP wiedergebe, antwortet er erneut. Jedes Mal, wenn dies geschieht, wird die TTL gesenkt. Was hier passiert, ist, dass die APs im Netzwerk zunächst das defekte Multicast-Paket vom Host hören und über Multicast darauf antworten. Jeder AP hört diese Antworten von allen anderen APs und antwortet ihnen. Jeder AP hört alle Antworten auf die Antworten und antwortet auf sie. Glücklicherweise wird die TTL jedes Mal gesenkt, sodass der Sturm verschwindet, sobald die TTL 0 erreicht und das Paket getötet wird. Jetzt muss ich nur noch herausfinden, wie ich dieses Verhalten stoppen kann!
Der AP, den ich vor mir habe, ist ein HP Procruve 420 J8130B.
Bearbeiten (GELÖST!): Nachdem ich scheinbar jede Konfigurationseinstellung auf dem AP ausprobiert hatte, konnte ich immer noch nicht verhindern, dass diese Multicast-Pakete erneut übertragen wurden. Ich habe festgestellt, dass wir nicht auf der neuesten Firmware sind, also habe ich versucht, ein Upgrade durchzuführen, aber das Problem blieb bestehen. Dann habe ich versucht, vom 29. November 2006 auf Version 2.1.7 herunterzustufen. Keine Probleme mit dieser Firmware! APs mit 2.1.7 übertragen das Paket nicht erneut !!! Ich warte immer noch darauf, herauszufinden, wie die Junk-Daten überhaupt in das Netzwerk gelangt sind, aber das Problem ist vorerst gelöst. Wir machen einen Fehlerbericht mit HP.
quelle
Antworten:
In erster Linie handelt es sich hierbei nicht um NBNS-Pakete, sondern um universelle Plug-n-Play-Pakete, die versuchen, nach "Internet Gateway Device" -fähigen Geräten zu suchen. UPNP-IGD verwendet IPv4-Multicast, um solche Edge-Geräte zu lokalisieren. Das Protokoll, so wie es ist, besagt, dass es nur eines geben sollte. Das Give-away ist in der Paketnutzlast enthalten:
IGD wird von einigen Anwendungen verwendet, um Consumer-NAT-Gateways mitzuteilen, wie NAT-Traversal für bestimmte Protokolle behandelt werden soll. IM-Anwendungen und dergleichen. Sie können Wireshark dazu bringen, die Dinge besser zu zeigen, indem Sie UDP / 137 als HTTP für diese Erfassung dekodieren.
Nun, warum dies einen Multicast - Sturm verursacht ist die große Frage. Sie erhalten die gleiche Art von Paket, lange bevor der Sturm zuschlägt, aber sie werden korrekt an 239.255.255.250:1900 gesendet. Das Paket 23955 stammt tatsächlich von demselben Gerät, das den Sturm 23968 auslöst. Das Paket 23968 zeigt jedoch dieselbe Ziel-MAC-Adresse (eine zeigt IPv4-Multicast an), hat jedoch eine Ziel-IP-Adresse, die sich in Ihrem / 16-Block befindet und NICHT sollte Multicast sein.
Paket 23604 ist ebenfalls sehr fehlerhaft. Es hat einen gültigen Ethernet-Header, aber der IP-Header ist seltsamerweise abgeschnitten und endet in derselben UPNP-IGD-Zeichenfolge, die ich oben zitiert habe. Das Gerät, das dieses seltsame, seltsame Paket ausgegeben hat, ist dasselbe Gerät (das ohnehin von derselben MAC-Adresse stammt) wie das Paket 23968, das den Multicast-Sturm ausgelöst hat.
Meine beste Wette an dieser Stelle ist, dass das Gerät bei 00: 1F: 3B: D2: 5E: 6D auf irgendeine Weise abgespritzt ist oder diese UPNP-Suchanfragen eindeutig nicht korrekt verarbeitet. Paket 24717 zeigt eine weitere M-SEARCH-Anforderung an 239.255.255.250:3702, die ebenfalls von demselben Gerät stammt. Richtige IP-Adresse, falscher Port (sollte 1900 sein).
Ich vermute, dass der Multicast-Sturm durch ein Paket mit einer Unicast-IP-Adresse ausgelöst wird, die mit einer Multicast-MAC-Adresse ankommt, und dass Ihre Netzwerkgeräte diesen ungültigen Fall nicht korrekt behandeln. Dies ist insofern naheliegend, als die Pakete nach dem ersten alle behaupten, von derselben IP (143.226.8.185) zu stammen, die MAC-Adresse jedoch alle unterschiedlich ist. Sie haben ein fehlerhaftes Gerät, das einen Fehler in der Multicast- / Unicast-Behandlung Ihrer Netzgeräte gefunden hat.
quelle
@Brad: Ich habe das gerade gesehen und frage mich, ob es dir einen Einblick in das Problem gibt.
http://support.microsoft.com/kb/317843
quelle
Ich empfehle, den Task-Manager auf dem Host zu öffnen, der die Sendung sendet, und zu versuchen, alle Anwendungen, die etwas an das Netzwerk senden könnten, eins zu eins zu schließen, und gleichzeitig die Pakete im Netzwerk (Wireshark) zu durchsuchen, um zu suchen für die App, die Probleme gibt.
quelle