Causes of broadcast storm:
- Incorrect network design and plan
- Network equipment damage
- HUB is easily lead to broadcast storm as broadcast equipment
- NIC or switching equipment damage
- Network loop
- Incorrect router configuration
- Virus
How to detect Broadcast Storm:
step1. Set up broadcast packets filter
Open Filter --> Add --> From Filter Table, check "Broadcast":
step2. Detect relevant parameters of the broadcast storm
1. Statistical parameters
- broadcast packets bytes
- total broadcast packets
- packets per second
- packet size distribution
- protocol type
- etc (add according to your own network)
How to make use of these paramaters?
Take a 100M ethernet for example. The maxmize packet per second is 12.5M x 1024 = 12800 Bytes/s. If the value of packet
per second of broadcast is greater or close to it, then we can define there's broadcast storm.
The packets sum, number, and its size distribution are different according to the size of network.
Protocol Type is mainly to stats the protocols with the largest traffic utilization. (PS: Care must be taken to distinguish ARP
Request and ARP Response, ARP Request is broadcast, while ARP Response is unicast.)
2. IPID Identification of the packet
IPID is the unique flow to identificate the packet. If there's a protocol in a large traffic utilization, we can check its IPID in
Packets view, if they are the same, we can confirm it is caused by network loop.
Currently, network loop is one of the mainly causes to broadcast storm.
3. Check the Utilization
How to make use of the utilization paramaters?
Utilization is divided into "Utilization (bits)" & "Utilization (percentage)". The computational process of network utilization is: bits per second(in "Summary" view) / network bandwidth(100M or 1000M Ethernet). Ordinary, the network is perfect if the utilization is 50% in a ethernet, we can get the conclusion that there must be broadcast storm in the network if the utilization of broadcast is over 30%.
Download the latest Capsa 6.9R2(windows 7 supported) to monitor your network perfermances in time.
No comments:
Post a Comment