Broadcast

  • Thread starter Thread starter Preacher Man
  • Start date Start date
P

Preacher Man

I am trying to monitor my traffic to see if I am having excess broadcasts on
my network. I realize that there will usually be some broadcast, but what
is normal for a network of about 60 pc's? In about 5 minutes I have had
about 230 broadcast.
 
Preacher Man said:
I am trying to monitor my traffic to see if I am having excess broadcasts on
my network.

Reasonable, but it is usually easier to just
setup so that it isn't happening -- then look
for exceptions.
I realize that there will usually be some broadcast, but what
is normal for a network of about 60 pc's? In about 5 minutes I have had
about 230 broadcast.

That means each PC broadcast about once per minute
or had about 4 broadcasts each.

How much traffic do you have overall? What percentage
of the packets are broadcast? This will tell more than
raw numbers usually.

WHAT are the broadcasts? (What type? What protocol?)

What were they doing? This is NOT a lot of traffic but
it seems odd -- IP machines MUCH broadcast for IP
resolution (ARP) but this caches so this wouldn't seem
to account for it unless they were all just turned on (finding
3 servers each and a gateway/router) or something similar.

They MAY broadcast for NetBIOS resolution (especially
if you have No WINS server and only one subnet.) We
might attribute half the broadcasts to NetBIOS and half
to ARP but we can stop the NetBIOS (totally or nearly
so) with WINS server.
 
I do have a WINS. It looks like about 3% is broadcast traffic. I also have
ethereal installed. Do you know the filter to just display broadcast
traffic? Ethereal might tell me a bit more than the standard Network
Monitor.
 
About half of my broadcast was coming from a printer that seldom is used.
So I unplugged it. That will help, and I also noticed that one of my
servers is putting out quite a bit of Broadcasts. Is there any way to tell
what it is on the PC that is broadcasting?

Thanks Again.
 
Preacher Man said:
I do have a WINS. It looks like about 3% is broadcast traffic. I also have
ethereal installed.

That is not excessive but it might be more than
necessary. Also it might be less that it appears
if you haven't got much real data traversing the
net. (1 is 10% of 10 etc.)

Are all of your machines (DCs, WINS servers, every
client) also WINS clients? (They should be.)

Why? If "servers" aren't WINS clients they never
register themselves and then are not in the WINS
database for (real) clients to find -- same is true
for (dynamic) DNS.

Also DHCP WINS clients must have the option for
Node Type set (usually to 8 which is WINS first,
broadcast only if it fails.)
Do you know the filter to just display broadcast
traffic? Ethereal might tell me a bit more than the standard Network
Monitor.

Not off the top of my head -- but in NetMon
(included with every server) the broadcasts
are given as a percent and it has a "visual
language" for setting up capture and display
filters.

Also, once you capture a bunch of stuff, you
can probably spot the broadcasts and then
filter on their traffic (types.)

Give me some examples of the broadcast packets...

There should be almost no NetBIOS traffic if you
have WINS (client and server) right.
 
Preacher Man said:
About half of my broadcast was coming from a printer that seldom is used.
So I unplugged it. That will help, and I also noticed that one of my
servers is putting out quite a bit of Broadcasts. Is there any way to tell
what it is on the PC that is broadcasting?

NetMon.

And check those WINS CLIENT settings I mentioned
in another message.

But if you need the printer (ever) you probably
can tolerate 3% (and it probably wasn't most of
that anyway.) What type?
 
How do I tell what kind of traffic it is? I am not seeing that in NetMon.
Please keep in mind also that I only have the standard version that comes
with Win2K Server.
 
I did check one of clients that was giving some broadcast. The IPCONFIG
said they were in Hybrid mode. Since this is right what else could be
broadcasting? I also left in a previous thread asking how to tell what kind
of broadcast it is?

Thanks for your help.
 
Preacher Man said:
How do I tell what kind of traffic it is? I am not seeing that in NetMon.
Please keep in mind also that I only have the standard version that comes
with Win2K Server.

I open NetMon [even server version]; capture packets;
hit Capture -> Start; [wait a while or induce some traffic];
hit Capture -> Stop and View.

Most packets are obvious from the PROTOCOL column.
(Also combined with the Description column.)

Click a packet to see (parsed) detail and hex/ASCII dump
windows -- click again to get back to summary only.
 
Preacher Man said:
I did check one of clients that was giving some broadcast. The IPCONFIG
said they were in Hybrid mode. Since this is right what else could be
broadcasting? I also left in a previous thread asking how to tell what kind
of broadcast it is?

That is a good START but it won't prevent all
NetBIOS broadcasts (since Hybrid does WINS
server first AND then tries broadcasts if the target
is not found.)

Two main reasons for the target not being found:

1) Target is an internal NetBIOS machine that is NOT a
WINS client and so not registered (as it should
be.)

2) Target is NOT an internal machine and we are searching
WINS (uselessly) and then broadcasting for something
that will never be found -- this is cause by an often overlooked
setting which has DNS fail over to NetBIOS METHODS
when it fails to find resolution -- there is a registry setting
for this somewhere, and if your DNS is properly setup it can
be disabled.

3) This previous will also happen for a MISTYPED NetBIOS
name (uncommon for most users who click) or a NetBIOS
name that is still in the browse lists but where the machine
is now down or otherwise unreachable.

It you were REALLY concerned about NetBIOS broadcasts you
could set P-Node NetBIOS clients but this is seldom worth the
trouble nor worth losing the occasional case where the broadcast
is helping you (even in a properly installed network.)

Remember, EVERY machine should be a client of the WINS server
(even the WINS server itself.)

Oh, and there is a fourth category: old machines, UNIX machines,
etc who for some reason don't have a WINS client stack but for
these you can always add a static WINS server entry if you really
wish to avoid these.
 
Back
Top