No soy nuestro chico normal de la red ... Acabo de ser reclutado para ayudar con este problema, así que tengan paciencia conmigo.
Tenemos una red bastante grande (~ 4.000 dispositivos?) Compuesta principalmente por equipos HP Procurve. De vez en cuando durante las últimas semanas, hemos estado recibiendo algunas tormentas de transmisión que prácticamente evitan que el resto del tráfico se envíe a través de la red. Configuré Wireshark para hacer volcados de 5MB, y capté algo de esto en el acto de esta mañana.
Puede descargar la captura de paquetes . La diversión comenzó en el paquete # 23968. Un paquete NBNS aparentemente mal formado se repite una y otra vez. Sin embargo, no es solo un bucle recto. Las direcciones IP de origen (143.226.8.185) y de destino (143.226.44.79) permanecen iguales, pero la dirección MAC de origen cambia. El primer paquete parece provenir de un dispositivo insignificante en la red y se envía a una dirección de multidifusión, 01: 00: 5e: 7f: ff: fa. Todos los paquetes posteriores provienen de las direcciones MAC de nuestros puntos de acceso inalámbrico HP y se envían a una dirección de multidifusión diferente, 01: 00: 5e: 62: 2c: 4f.
Aquí está el primer paquete:
No. Time Source Destination Protocol Info
23968 122.229240 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]
Frame 23968 (1038 bytes on wire, 1038 bytes captured)
Arrival Time: Sep 15, 2010 08:32:44.329966000
[Time delta from previous captured frame: 0.004744000 seconds]
[Time delta from previous displayed frame: 0.004744000 seconds]
[Time since reference or first frame: 122.229240000 seconds]
Frame Number: 23968
Frame Length: 1038 bytes
Capture Length: 1038 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Address: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
Address: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 7773643D22687474703A2F2F736368656D61732E786D6C73...
Frame check sequence: 0x6f70653e [incorrect, should be 0x30019938]
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 203
Identification: 0x00d0 (208)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xe485 [correct]
[Good: True]
[Bad : False]
Source: 143.226.8.185 (143.226.8.185)
Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 183
Checksum: 0x01db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
NetBIOS Name Service
Transaction ID: 0x4d2d
Flags: 0x5345 (Unknown operation)
0... .... .... .... = Response: Message is a query
.101 0... .... .... = Opcode: Unknown (10)
.... ..1. .... .... = Truncated: Message is truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Broadcast: Not a broadcast packet
Questions: 16722
Answer RRs: 17224
Authority RRs: 8234
Additional RRs: 8264
Queries
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (12081)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (11631)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25701)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25914)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25970)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (18273)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (24953)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (26979)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (3338)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (14882)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28730)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25455)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (8717)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28513)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (29287)
[Malformed Packet: NBNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Aquí está el siguiente paquete:
No. Time Source Destination Protocol Info
23969 122.229836 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]
Frame 23969 (217 bytes on wire, 217 bytes captured)
Arrival Time: Sep 15, 2010 08:32:44.330562000
[Time delta from previous captured frame: 0.000596000 seconds]
[Time delta from previous displayed frame: 0.000596000 seconds]
[Time since reference or first frame: 122.229836000 seconds]
Frame Number: 23969
Frame Length: 217 bytes
Capture Length: 217 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: HewlettP_05:de:da (00:17:a4:05:de:da), Dst: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
Destination: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
Address: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HewlettP_05:de:da (00:17:a4:05:de:da)
Address: HewlettP_05:de:da (00:17:a4:05:de:da)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 203
Identification: 0x00d0 (208)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 127
Protocol: UDP (0x11)
Header checksum: 0xe585 [correct]
[Good: True]
[Bad : False]
Source: 143.226.8.185 (143.226.8.185)
Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 183
Checksum: 0x01db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
NetBIOS Name Service
Transaction ID: 0x4d2d
Flags: 0x5345 (Unknown operation)
0... .... .... .... = Response: Message is a query
.101 0... .... .... = Opcode: Unknown (10)
.... ..1. .... .... = Truncated: Message is truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Broadcast: Not a broadcast packet
Questions: 16722
Answer RRs: 17224
Authority RRs: 8234
Additional RRs: 8264
Queries
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (12081)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (11631)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25701)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25914)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25970)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (18273)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (24953)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (26979)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (3338)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (14882)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28730)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25455)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (8717)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28513)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (29287)
[Malformed Packet: NBNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
Loco, no? Si mira a través de la captura de paquetes, verá que gran parte de este paquete se repite después de ese punto. Sigue y sigue después de eso, en varios archivos más.
Si esto fuera un bucle, ¿por qué solo nuestros AP enviarían este paquete? Estos AP están dispersos por todo nuestro campus.
Un poco más de información sobre nuestra red ... Todo es plano. Straight Ethernet se ejecuta en todo, y tenemos un bloque de IP de clase B. Sin subredes Hay un modelador de paquetes, firewall y enrutador entre nuestra red y nuestra conexión WAN.
Finalmente, si ve esta publicación y le resulta familiar, es porque publiqué un problema similar en el pasado que aún no hemos resuelto, pero no lo he visto recientemente. Eso se puede encontrar en los conmutadores HP que envían solicitudes de ping multidifusión .
Muchas gracias por tu tiempo!
Editar: se confirma que el paquete 23968 es el detonante de esta tormenta de multidifusión. Repetí ese paquete en nuestra red y lo volví a lanzar.
Editar / Actualizar:Haciendo un poco más de experimentación. Tomé uno de nuestros puntos de acceso HP y lo conecté directamente a mi PC. Nada más adjunto al segmento. Si reproduzco el paquete inicial que estaba causando los problemas al AP, el AP responde una vez. Si vuelvo a reproducir la respuesta del AP al AP, vuelve a responder. Cada vez que hace esto, se baja el TTL. Lo que está sucediendo aquí es que los AP en la red escuchan inicialmente el paquete de multidifusión roto del host y responden a él a través de la multidifusión. Cada AP escucha estas respuestas de todos los otros AP y les responde. Cada AP escucha todas las respuestas a las respuestas y las respuestas a ellas. Afortunadamente, reduce el TTL cada vez, por lo que la tormenta desaparece tan pronto como el TTL llega a 0, y el paquete se mata. ¡Ahora todo lo que necesito hacer es descubrir cómo detener este comportamiento!
El AP que tengo delante es un HP Procruve 420 J8130B.
Editar (¡RESUELTO!): Después de intentar aparentemente cada configuración en el AP, aún no pude evitar que retransmitiera esos paquetes de multidifusión. Descubrí que no teníamos el último firmware, así que intenté actualizar, pero el problema persistió. Luego intenté bajar a la versión 2.1.7 desde el 29 de noviembre de 2006. ¡No hay problemas con este firmware! ¡Los AP que ejecutan 2.1.7 no retransmiten el paquete! Todavía estoy esperando descubrir cómo llegaron los datos basura a la red en primer lugar, pero el problema está resuelto por ahora. Estamos haciendo un informe de error con HP.
+ varios cientos por publicar la captura de paquetes. Tengo algunas ideas Contestaré una vez que los haya recopilado.
—
sysadmin1138