How can I identify a Broadcast Storm - Pls Help

Hello,

If you had a broadcast storm going on, all of your network devices would be nearly paralyzed, and you would be able to sniff packets from any node on the network (because broadcasts hit every devices, regardless if it is a switch or a hub as a network combining hardware device).

For packet sniffing, there is a freeware tool available with linux -- Ethereal. Of course, you would see all of the packets and what they are doing... although you might have to scroll through lots of data to get to it.

Might want to ask yourself if there were any devices recently added to the network, or did someone replace a patch cable in the closet, or perhaps at a desktop? What change was made? You might also have a virus running around.... a few weeks ago, we got hit with bling (also called Spybot) that tried to pound it's way across the Windoze machines. Brought the network to a near halt.

Good Luck with it,

Christian

Good call on virus/changes, especially if someone put a second link between the switches.

McFly; What do you mean xDSL between them? What devices/model #'s do the DSL? How much distance between switches? What kind of cable is between them?

PCs<----->Cat29k<----->???<--(dsl?)-->???<----->Cat29k<----->servers

Do you have a console cable? passwords? can you log into the switches?

xDSL as in ADSL technology, we've got some ascom equipment that transmitts across site via twisted pair BT Line, a 1 mile distance. I'm not too sure if it is a virus, because we are a Government site we are protectively linked to the outside, and more of the site should be affected. No one has picked this up on our Anti-Virus. I think its most likely a faulty equipment, continually transmitting, or possibly the first switch has a configuration problem, the problem has existed since the building was kitted out with new equipment.

Sorry, I should of added this is why I want to monitor network traffic, try and identify a single piece of equipment thats broadcasting excessively. Anyone heard of a problem with faulty cisco equipment creating broadcast storms.

I have been working on Cisco gear about six years now, I have never heard of it but I know not to rule it out. It sounds more like a uplink port flaking out, spanning tree issue, or something with those line drivers.

Any reason not to upgrade the IOS to a current rev and blow away the configs on both switches and run them defaulted?

Any reason not to upgrade the IOS to a current rev and blow away the configs on both switches and run them defaulted?

Yeah I don't know how. I'll reset the config on the first switch, see how that goes, also going to try and use ethereal to identify excess broadcasts.

Thanks for your help

Hey Marty, thought of another one if you are worried about broadcasts. Click the mode button on the front of the switch you are worried about until you get to "util" this will tell the the % of utilization of the switch.

If it is a 24 port each light will represent about a 4% load, if it is a 12 port switch, each light will represent a 8% load.

If it is constantly running below 30% I wouldn't worry about it on a network that size.

also, if you log into the console (or telnet to a switch and type "enable" and the enable password followed by "term mon") do you see messages scrolling down the screeen? If so could you either post a sample?

Thanks for your assistance. I've had a look at the term mon, and I get no message, but you have possibly helped me out a great deal with the Util on the switch. I had a look at the first switch, and this was on 40% utilisation, (and this was at lunch when the system wasn't being used), with a max of about 70% over the life of the configuration.

From this I'm looking into the fact that the second switch can't handle the load, as the 40% is only from one building out of about 20 that it controls. I'll be checking the utilisation on the that switch tomorrow, will keep you posted.

Many thanks, David

Do you have a Cisco router for your default gateway? If so I suggest you enable and look at the route cache to find the offending computer.

To do this go under the ethernet interface in configuration mode and enter "ip route-cache flow"

Then exit the config mode and enter "sh ip cache flow" from the enable prompt.

The router will display all sessions by what computer is starting them. Probably one spyware / virus ridden device is killing your network by trying to propagate.

Thanks for your help W1r3sp33d. Think I've identified this as faulty wiring from the patch to the wall ports. Everytime someone connects to that wall port the comms start dropping out, and the switch locks out the port.

We've got a comms team coming in shortly to check it out, so hopefully this will be resolved, but I'm greatful for you help in the investigation

David

glad you isolated the problem, hope the tips helped finding it. Cheers!

Dear my question is How i identify over the LAN environment that which system is creating a brodcasting over the network. I have 10 pc over the network which are connected to each other through cisco switch, dear i my view i have one system which have that type of virus which act on my bandwith and used my bandwith mosly and disturb my online system only, not disturb my LAN environment. Please provide solution. thanks
Muhammad Umair
Pakistan, City peshawar