Professional Documents
Culture Documents
WWW Golinuxcloud Com Discovering Network Loops With Wireshark
WWW Golinuxcloud Com Discovering Network Loops With Wireshark
WWW Golinuxcloud Com Discovering Network Loops With Wireshark
all other end points at the same time. In this type of communication, there is only one sender that
sends data frames to all connected receivers.
2. Multicast Frame
Multicast is the term used to describe communication where a frame is sent from one end point to
one or multiple end points at the same time. In this type of communication, there is only one
sender that sends data frame to one or multiple connected receivers.
3. Unicast Frame
Unicast is the term used to describe communication where a frame is sent from one end point to
the only one end point. In this type of communication, there is only one sender that sends data
frame to one connected receiver.
ALSO READ:
source: https://en.wikipedia.org
The first 24 bits ﴾3 bytes﴿ of mac address is called organisationally Unique Identifier ﴾OUI﴿, which
identifies a vendor, manufacturer, or other organization. See some OUI below.
Individual/Group ﴾IG﴿ bit is used to differentiate unicast frames from multicast frames. When
the bit is set to zero ﴾0﴿, it means it is a unicast frame. When it is set to one ﴾1﴿, it means the frame
is a multicast. The bit is located in the most significant byte of mac address. In the figure above,
“b0” is the IG bit. When it comes to broadcast frames, a special mac address ﴾FF‐FF‐FF‐FF‐FF‐FF﴿ is
used to distinguish broadcast frames from the other traffics.
Advertisement
Advertisement
Network loops occur due to many reasons. The most common causes are below.
For learning and testing purpose, the easiest way to create a loop is just disabling spanning tree on
the switch and plugging network cable from one port to the other one. But it is a rare case in a
network to have that kind of loop. It happens only with hubs and dummy switches that do not run
a spanning tree. A second method to easily create a loop is using buggy IP phones. Here is a list
from Cisco: https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd03371
If you have one of the phones in the list, you can create a loop. ﴾I am sure there are some other
models that have the bug but not listed there﴿
ALSO READ:
When you accidentally plug both PC Port cable and Network Port cable of the phone into the
network switch, it'll cause a network loop that brings down the network. The reason is that the STP
packet sent by the switch through the Network Port gets filtered by the phone. Since the switch
does not get the STP packet back through the PC Port, it will not block that port, leaving the
network prone to a broadcast or multicast storm. In a short time, a loop occurs and the network
goes down.
Use “unicast / ﴾broadcast +multicast﴿” formula which gives you a great idea. Let’s test it on my
packets I captured during the loop. We will create a filter ﴾ eth.dst.lg == 0 ﴿ that shows the packets
contain IG bit of zero ﴾0﴿, which displays unicast packets. See the details below.
Number of unicast packets is 510. The number of total packets is 1870829.
As you see both in the screenshot and calculation, unicast packet ratio is pretty low which indicate
that a loop has occurred. The number of broadcast and multicast packets can be found with this
filter: ﴾eth.dst.lg == 1 ﴿ or ﴾eth.addr == ff:ff:ff:ff:ff:ff﴿
Header Checksum or Identification fields in IP header can be used to check if a loop has happened.
Since every time both fields change for each packet, when you see multiple the same Header
Checksum or Identification field in other packets, you can easily say there has been a loop.
Remember that Header Checksum and Identification are 2 bytes fields. Even if it is low, there is
always a chance there would be a collision of the fields. Collision simply means that the same
identifier or calculation to be assigned to the different packets.
ALSO READ:
The simplest way is to use “Task Manager” in any Windows Operating System. Open your desktop,
right click on the task bar and select “Task Manager” from the context menu and navigate to the
“Performance” tab. You will see CPU, Memory and Network utilizations. See below my CPU and
Network utilization during the loop.
When the loop occurred, my network utilization increased instantly, causing my computer to
freeze. When I disabled the loop, the traffic went to the normal level. Beside excessive network
utilization, high CPU usage was observed.
Checking logs on the switches may give useful clue. The logs below produced on the switch during
the loop.
As you see, the same mac address is flapping between port Gi1/0/4 and port Gi1/0/3, which is a
great sign of a loop.
Another way is to use network monitoring tools like SolarWinds Network Performance Monitor,
Nagios Core, Cacti, Observium etc. The crucial point is that you should look at inbound traffic
where there has been excessive traffic recently. That is probably the source of the loop.
ALSO READ: