Customer login  |   Contact us
Home Company Products Support Purchase
Forum Home » Network Probe

Topic: huge ether.NETBIOS packets
Replies: 7   Pages: 1   Last Post: Sep 8, 2003 10:14 AM by: Eivind Pedersen


Back to Topic List Back to Topic List Topics: [ Previous | Next ]
Replies: 7   Pages: 1  
Nate Berry
huge ether.NETBIOS packets
Posted: Apr 28, 2003 10:20 PM
  Reply

I'm running netprobe 0.4 on an NT4.0 box on a small Windows network (no Novell) and I see a large number of ether.NETBIOS (LLC/SAP F0F0) packets (and bytes). In fact, it is the largest amount of traffic by several orders of magnitude. When I try to see what hosts are generating this traffic, nothing appears. Can anyone tell me where to start looking to identify what might be flooding these packets across our network?

Nate

Eivind Pedersen

Posts: 473
From: Oslo, Norway
Registered: Jun 11, 2002
Re: huge ether.NETBIOS packets
Posted: Apr 28, 2003 10:35 PM
  Reply

Is your computer connected to a switch (without a spanned port)?

Nate Berry
Re: huge ether.NETBIOS packets
Posted: Apr 28, 2003 10:48 PM
  Reply

Why, yes it is! I'm afraid I'm not very familiar with how to configure it, though, we just bought it and plugged it in. It's a Cisco Catalyst 2950 right out of the box. Thanks for the quick response!

Eivind Pedersen

Posts: 473
From: Oslo, Norway
Registered: Jun 11, 2002
Re: huge ether.NETBIOS packets
Posted: Apr 28, 2003 11:27 PM
  Reply

The Cisco Catalyst 2950 should have a possibility to be configured with span support. For information about the span terminology, have a look at http://www.cisco.com/warp/public/473/41.html

If it's connected to a normal port, only multicast/broadcast traffic is seen.

Alternatively, use a hub.

Nate Berry
Re: huge ether.NETBIOS packets
Posted: Apr 29, 2003 2:06 AM
  Reply

If I understand properly, since the machine that is "sniffing" or running network probe is directly connected to the switch (as are most other machines on the network), I am only seeing those packets which are not sent directly to their intended recipient by the switch? To see this traffic, I would have to enable "spanning" on the switch as per the page you referenced? Do I have it right?

Thanks again for your quick (and informative comments!) I am trying to identify some strange behaviours on the network (large database programs slowing down erratically).

Nate

Eivind Pedersen

Posts: 473
From: Oslo, Norway
Registered: Jun 11, 2002
Re: huge ether.NETBIOS packets
Posted: Apr 29, 2003 10:32 AM
  Reply

Yes, you're quite right.

Chris Mcauliffe
Re: huge ether.NETBIOS packets
Posted: Sep 5, 2003 11:05 PM
  Reply

You mention that you must turn on spanning on the port the probe computer is on for cisco routers. Is this the same case for foundry fast iron 2 as well?

Eivind Pedersen

Posts: 473
From: Oslo, Norway
Registered: Jun 11, 2002
Re: huge ether.NETBIOS packets
Posted: Sep 8, 2003 10:14 AM
  Reply

Yes, if it has a span port capability.



© 1998-2019 ObjectPlanet, Inc. Øvre Slottsgate 5, 0157 Oslo, Norway Tel (+47) 2233 3360 | Fax (+47) 2233 3361