Broadcasting problem

[brettums]

This is going to be a very broad question.... I'm hoping someone can suggest somethings I can look into to try and find out what's happening.

My network is segmented into 13 VLANS. One of those 13 VLANS I'm noticing extremely sluggish downloadtime..... This VLAN is for PUBLIC access only. Ex. I work in a school and all lab areas are considered public machines. I'm in a mixed environment of WinXP and OSX Panther/Jaguar. All PC's are using Symsantec AV corp. However, Macs are not..... I'm really leaning toward a virus outbreak which has happened on this subnet (VLAN). I just don't know what tools to use when tying to find out if it's true or not. The backend is all cisco.... using for switches 2950, 3548, 3524 and for routing a 3750...... anyone recommend how to use debugging or better yet an app that can help me pinpoint what is going on? If you need more details please let me know.

FYI, I've tried using the etherreal port sniff (free edition) but that seems to not even find anything but normal broadcast (such as DHCP) FYI, no appletalk is on... I know better...c'mon this is the 21century LOL)

thanks
-Brett

 

[KiscoKid]

I'd have thought the network analyzer may have helped. It's been awhile since I used Ethereal but does it highlight the top talkers or the top network protocols used?

If you have a virus outbreak, you'll see a definite trend using an analyzer, for instance very high utilisation of ICMP for example or the top talkers dwarfing everybody elses utilisation on a constant basis.

If you know what virus originally infected this segment, try and gain an appreciation of the profile of this virus regarding ports it is transported via. Once you know this, you can run specific Cisco debugs to look for any traffic that specifically match this profile.

Also I'd entertain integrating something like MRTG (you can google it). This is a useful tool for determing the utilsation of all our devices on a port by port basis. This tool should help you quickly identify who the top talkers are on this segment allowing you narrow your search considerably if overutilisation is the issue.

If broadcasting is the issue, try and ascertain using Ethereal what ratio of broadcasts you are seeing related to normal traffic. 10:1 is cited as an acceptable level of broadcasts to normal traffic.

 

[vipergg]

You can turn on cache flow on your router interfaces that feed the vlan , on each interface enter ip route-cache flow" . Then to look at the flows and see who is doing what just type "show ip cache flow" and this is going to tell you who is talking to who . Also you can clear counters on your trouble vlan and see if you are indeed getting a lot of broadcast . What does the interface for the problem vlan look like ? Any errors or high utlization ? Check for the obvious like speed duplex mismatches on your connecting links . If you have infected devices you should be able to spot them fairly easily using cache flow , you will some addresses going to many different addresses that don't even belong to you .

 

[baddos]

If you use ethereal to analyze traffic, you should setup a SPAN port on the switch to monitor all the traffic instead of just the broadcasts.

 

[jdeisenm]

To find top talkers, drill down.
Capture traffic on ports in this order.
1 Default route to internet.
2 Default route to private ip space (10.x.x.x).
3 On specific switch, capture on it's uplink to your core.

Once you find a talker. Note ipaddress, mac address, hostname.

here are the ios commands

to monitor a vlan
!source
monitor session 1 source vlan 1
!destination
monitor session 1 dest int fa0/1

to monitor a port in ios on same switch

!remove source
no monitor session 1 source vlan 1
!new source, destination stays
monitor session 1 source int fa0/2

Once you find suspect ip address (say 10.10.0.1), get it's mac address

on that pc's default gateway, this command to get the mac address

sh arp | inc 10.10.0.1

#10.10.0.1 aaaa.bbbb.010a

then run this command to see the port the on which the mac address exists

sh mac- | inc aaaa.bbbb.010a