Network Monitor question, -Advice?

Revenue · November 2007

Hey guys/girls,

Iv been going through the labs in the MS 70-291 book on network monitor and decided to have a play setting up IIS/DHCP/DNS on my windows server 2003 enterprise server. I just wanted to to have a look at different kinds of traffic coming to/from the server. On this particular server as soon as I start monitoring the screen fills up with the data shown in the attached image.

I have no idea what its doing

Iv tried doing a bit of research into it however cant seem to find much

It doesn't seem to heading out onto the network as other computers in my lab don't get any LLC packets from the network.

Anyone have any advice on this? I'm not sure if its having any effect on other data getting through,

Any info or advice to get rid of it will be much appreciated

Thanks for your time,

Rev.

sprkymrk · November 2007

What protocols do you have running on this server? I've seen similar stuff with NetBeui or IPX running.

Can you get a better screenshot of the frame details box expanded?

Claymoore · November 2007

Actually, all of your machines should be getting LLC packets.

This is the Logical Link Control sublayer of the Data Link Layer - OSI Layer 2. According to the handy Network Communications Protocols Map from Cisco Press that I have in my cube, the LLC handles error correction at the frame layer (as opposed to the TCP Network Layer 4) and also provides other layer 2 communications and control functions. Finally, it helps in the handoff to the Network Layer for other protocols such as IP, IPX, and Appletalk.

One of the main Layer 2 functions provided by the LLC is 802.1d - the Spanning Tree Protocol (thank you Radia Perlman). The packets you are looking at are BPDU packets which are Bridge Protocol Data Units, basically Spanning Tree discovery and information packets. For you non-Cisco folks in the audience, Spanning Tree is like a routing protocol for switches. In fact, it works a lot like OSPF because Radia Perlman invented both. You may have a problem with the switch to which the server is connected, such as a link flapping (going up and down quickly). Depending on your spanning tree setup, when a link changes the switch needs to check to see if it is a host or a switch that connected and when it knows it can send out a BPDU informing other switches of the topology change. That way switches know how to send information along without creating a bridging loop. A bridging loop would quickly bring down a network because a single broadcast packet (like DHCP or a NetBIOS name broadcast) would spread throughout the network.

Since your network is fine, a bridging loop is not the problem. You also seem to have no network perfomance issues so i doubt these small 38 byte packets are eating up your bandwidth. The network card can issue a CPU interrupt when it receives the packet (unless the card itself is smart enough to discard it) so a flood of small packet can affect your server performance. Your implementation of spanning tree may just be excessively chatty and needs to be tuned. You or your network admin can do this by adjusting the vlans allowed on the switch trunks (if spanning tree is implemented per vlan) or by changing the max-age and forward-time on the BPDU packets.

I might have been a little long-winded, but I took a break studying for my Cisco BDMSN CCNP exam to update my MCSE.

sprkymrk · November 2007

@Claymoore:

If he is using the free version of network monitor, he won't be sniffing packets on the network, just packets originating from/to the server he is running it on, so I don't think he would see STP traffic from the switches that much. He also said it doesn't show up on his other computers in the lab, just this one. Otherwise I might agree, but I don't recall how STP works - broadcast? Also, did you notice the 802.3? Clue?

Also, check out the "Source", it looks like his server, unless you know of any switches that use an ASUS board. I could be wrong, but that's what it looks like to me.

As I mentioned, NetBeui and IPX protocols running on the server could generate similar packets, which is why I was hoping he would post a better picture of the frame details. It's got me curious, and you could be right about chatty switches. There were just a few things that didn't look exactly right to me.

Silver Bullet · November 2007

You don't, by chance, have dual nics configured for adapter teaming do you?

Revenue · November 2007

Hey thanks for your replys

Iv attached another image that may provide more clues,

Its weird, I popped open the side of the server case and its running on a gigabyte motherboard ( GA-M61SME-SE) although the packet states source: Asustek Computer. DA242A.

This server is actually attached to my new PC with an ASUS m2n32-sli premium motherboard which is attached to my ADSL router upstairs. I used windows vista's built in connection bridging to extend my existing network to the server (Haven't got round to grabbing a switch for downstairs yet)

This never actually crossed my mind as a figured the bridge would just connect my two network cards and not actually tell computers that its there

. DHCP/DNS comes from my router and the server attached to my PC can communicate with all other devices on the network with no problems.

The server is just running the default protocols (Client for MS networks,F&p sharing, Network Mon driver, TCP/IP) all configured with default settings.

I have run network monitor on other PCs on the network and I don't see this packet come up on any other device (sorry i have no idea what the destination field represents)

Sorry if this sounds noobish however I haven't come across spanning tree before.

Just looking at the properties of the network bridge now.. I see the Link Layer topology items that the connection is using, I guess it must be something to do with this.(second image attached) I guess its just normal traffic then? I was just concerned at this packet showing up every two seconds and not knowing what it actually was (let alone what it was doing to my server). >_< Live and learn :P

Thanks for your time

Claymoore · November 2007

Promiscuous mode bites me again! I keep forgetting that limitation on Network Monitor. I have been using or administering SMS for several years so I am used to the SMS version of Network Monitor which does allow it. That caught me a few times on practice questions, and you'd think I would get it right eventually.

Back to the issue at hand. A switch is technically a transparent bridge, so by bridging the NICs on your Vista workstation you have essentially turned an expensive PC into a 2 port switch. Since it is possible that both Vista workstation NICs could be connected to the same external switch, they must participate in Spanning Tree or a bridging loop could occur. Therefore, BPDU packets must be sent from the Vista workstation NICs (with the ASUS motherboard) to the rest of the network and are picked up by the network monitor on the server.

Judging by the topology you have described, the Vista workstation has probably elected itself the root bridge and is now just sending out updates reminding everyone who is in charge. If a downstream switch receives a superior BPDU (think fewer switching hops) on a different port, it will know a topology change has occured and adjust its blocking ports accordingly.

MishaZorin · January 2008

Claymoore

Thanks for your post it is very useful for me.

sincerely,
Misha

Network Monitor question, -Advice?

Comments