dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1593
share rss forum feed

astroroxy7

join:2010-09-23

Help with DOS

downloadspan.pcapng.zip 3,947 bytes
Wireshark capture
My network will randomly go full throttle like a dos, I think from faulty hardware. I can not understand the packet capture but this is what it looks like

I do not think I have any switches with spanning tree but that is what all the packets are that are bogging down and halting the network

e 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 WTAP_ENCAP: 1 Arrival Time: Mar 6, 2013 00:45:35.507411000 Pacific Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1362559535.507411000 seconds [Time delta from previous captured frame: 0.000000000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 0.000000000 seconds] Frame Number: 1 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:macc] [Coloring Rule Name: Broadcast] [Coloring Rule String: eth[0] & 1] Ethernet II, Src: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01), Dst: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) Destination: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) Address: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Source: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) [Expert Info (Warn/Protocol): Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)] Address: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Type: MAC Control (0x8808) MAC Control Opcode: Pause (0x0001) pause_time: 65535
No. Time Source Destination Protocol Length Info 2 0.033527000 Spanning-tree-(for-bridges)_01 Spanning-tree-(for-bridges)_01 MAC CTRL 60 MAC PAUSE: pause_time: 65535 quanta
Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0 Interface id: 0 WTAP_ENCAP: 1 Arrival Time: Mar 6, 2013 00:45:35.540938000 Pacific Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1362559535.540938000 seconds [Time delta from previous captured frame: 0.033527000 seconds] [Time delta from previous displayed frame: 0.033527000 seconds] [Time since reference or first frame: 0.033527000 seconds] Frame Number: 2 Frame Length: 60 bytes (480 bits) Capture Length: 60 bytes (480 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:macc] [Coloring Rule Name: Broadcast] [Coloring Rule String: eth[0] & 1] Ethernet II, Src: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01), Dst: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) Destination: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) Address: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) Source: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) [Expert Info (Warn/Protocol): Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)] Address: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broad

jimbopalmer
Tsar of all the Rushers

join:2008-06-02
Greenwood, MS
kudos:3
Reviews:
·Suddenlink
Spanning Tree Protocol is meant to find and eliminate loops in your network.

Some device has found loops, but no device is eliminating them.

I would make sure there is never two paths to the same destination.

»en.wikipedia.org/wiki/Spanning_T ··· Protocol
--
I tried to remain child-like, all I achieved was childish.

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to astroroxy7
Second jimbopalmer See Profile 's comments. STP runs BY DESIGN on every switch out there. If you want to see
what a network looks like without it, try Youtube for "broadcast storm," and THEN tell me you want to turn it off.

You want to define your problem better than "My network will randomly go full throttle like a dos" [sic]?
A better description would be "website x should take y minutes and is now taking z minutes" or something
similar. Right now all you have is pure speculation.

Regards

astroroxy7

join:2010-09-23
reply to astroroxy7
Are you sure stp runs on all switches? How can unmanaged switches have it, I thought you need to setup the bridge, etc.
I say full throttle because all of the status lights on all devices and the switch blink like crazy at the same rate, and no device can access the web, or even the router interface.

I don't think its some one else doing a dos, I think its just a hardware failure dos, not intentional.

Thanks for the reply

annoyingrob

join:2007-03-27
Calgary, AB
said by astroroxy7:

Are you sure stp runs on all switches? How can unmanaged switches have it,

Unmanaged switches DONT have it.

How is your network set up? You almost certainly have some sort of switching loop. Eg, maybe two switches with 2 cables connected between them, or a single computer with 2 network cards plugged in at once (like a wifi card AND a wired card connected)

astroroxy7

join:2010-09-23
reply to astroroxy7
I think I fixed it, There is no switching loops, But I did get a new ap and that's when it started, so I turned ON STP on the ap and what do you know? It stopped. I think maybe the firmware on the ap had the on and off switched. Thanks for your help =)

HELLFIRE
Premium
join:2009-11-25
kudos:19
reply to astroroxy7
Very sure unmanaged switches have STP... otherwise you've got yourself a very dumb layer1 hub.
As jimbopalmer mentioned, STP is to make sure there are no loops within the network at layer 2;
switches operate at layer 2.

How did you wire in the switch and AP? Did you run more than one cable between the two?

Regards


mackey
Premium
join:2007-08-20
kudos:14
said by HELLFIRE:

Very sure unmanaged switches have STP... otherwise you've got yourself a very dumb layer1 hub.
As jimbopalmer mentioned, STP is to make sure there are no loops within the network at layer 2;
switches operate at layer 2.

How did you wire in the switch and AP? Did you run more than one cable between the two?

No, unmanaged switches do NOT do STP. Only managed or "smart" switched do. It's a switch because it does "store and forward" - aka it buffers packets if the destination port is in use. A dumb hub doesn't buffer and tries to pass it on immediately which results in a collision.

Wireless router? A computer/device could very well be bridging the wired and wireless networks in a 2nd place thus causing the broadcast storm.

/M

HELLFIRE
Premium
join:2009-11-25
kudos:19
Umm, hate to burst your bubble mackey See Profile but those three things you just slapped together
have nothing to do with one another or STP. Feel free to grab a computer, plug it into a home
router / gateway and run wireshark... guess what you get, alot of BPDU frames, which is the unmanaged
switch portion of the device doing STP.

Regards


mackey
Premium
join:2007-08-20
kudos:14
I hate to burst YOUR bubble HELLFIRE See Profile but you are the one who's wrong. My computer is plugged into a unmanaged switch (D-link DGS-2208) which is chained off a DIR-855 wireless router and I've been running wireshark for the last 15 minutes and there has not been a single BPDU frame.

You do mention something which might be where your confusion is - the home router / gateway. Linux based router/gateways use a Linux Ethernet Bridge to bridge the wired to the wireless, and by default Linux has STP turned on. Those BPDU frames you're seeing are NOT from the unmanaged switch portion, but from the wired<->wireless bridge.

The only error in my last post is I didn't mention how switches "listen in" on traffic to learn MAC addresses so they can forward a packet to the single port instead of broadcasting it to all ports.

/M

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to HELLFIRE

guess what you get, alot of BPDU frames, which is the unmanaged switch portion of the device doing STP.

You are mistaken, sir. STP is a host-cpu function. It is NOT a function provided by the switch SoC, but is a service manged by a host-side cpu connected to the SoC (commonly, simple PCI bus.) In other words, a "managed switch". The cheap 50$ netgear on the shelf at Best Buy is not a managed switch, and does not run STP. Yes, this makes it more a "hub" than traditional "switch", but it's still a switch. (what would've been called a bridge in ye'olden days)

The sending and processing of BPDUs, and thus loop detection, is done in software. And for the record, some people *cough*Avaya*cough* have gotten it very wrong. (igmp queries not being blocked by stp "blocked" ports)

HELLFIRE
Premium
join:2009-11-25
kudos:19
@cramer
....well, at least I didn't get the third degree from you about how an ASIC is not a CPU...

So to amend my earlier statement

quote:
STP runs by design on every switch out there when the manufacturer deigns to put it in
I'm still curious what kind of AP the OP has that had the option to turn on STP like that.
OP care to fill us in?

Regards