Why sending packets to broadcast IP? - Networking

This is a discussion on Why sending packets to broadcast IP? - Networking ; I noticed a whole lot of traffic going on one of our subnets, and brought up the IPCop (IDS/firewall/router PC) log summary, and found this section: Logged 832 packets on interface eth1 From 192.168.2.2 - 392 packets To 192.168.2.1 - ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Why sending packets to broadcast IP?

  1. Why sending packets to broadcast IP?

    I noticed a whole lot of traffic going on one of our subnets, and
    brought up the IPCop (IDS/firewall/router PC) log summary, and found
    this section:

    Logged 832 packets on interface eth1
    From 192.168.2.2 - 392 packets
    To 192.168.2.1 - 219 packets
    Service: domain (udp/53) (INPUT,eth1,none) - 219 packets
    To 192.168.2.7 - 170 packets
    Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 170
    packets
    --snip--
    From 192.168.2.3 - 440 packets
    To 192.168.0.9 - 10 packets
    Service: axon-lm (tcp/1548) (NEW not SYN?,eth1,eth0) - 10
    packets
    To 192.168.2.1 - 117 packets
    Service: domain (udp/53) (INPUT,eth1,none) - 117 packets
    To 192.168.2.7 - 313 packets
    Service: netbios-ns (udp/137) (INPUT,eth1,none) - 84 packets
    Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 229
    packets

    192.168.2.2 is our file server
    192.168.2.3 is our internal Web server
    192.168.2.1 is the IPCop machine's NIC
    192.168.2.7 is the broadcast IP for the subnet

    Why in the world are the two servers sending so much traffic to the
    broadcast IP?! I'm not terribly edumacated in TCP/IP networking I'm
    afraid, so I guess this may be normal.
    But it seems odd.
    Thanks for any feedback!
    -Liam

  2. Re: Why sending packets to broadcast IP?

    In comp.os.linux.networking, news@celticbear.com wrote:

    > I noticed a whole lot of traffic going on one of our subnets, and
    > brought up the IPCop (IDS/firewall/router PC) log summary, and found
    > this section:
    >
    > Logged 832 packets on interface eth1
    > From 192.168.2.2 - 392 packets
    > To 192.168.2.1 - 219 packets
    > Service: domain (udp/53) (INPUT,eth1,none) - 219 packets
    > To 192.168.2.7 - 170 packets
    > Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 170
    > packets
    > --snip--
    > From 192.168.2.3 - 440 packets
    > To 192.168.0.9 - 10 packets
    > Service: axon-lm (tcp/1548) (NEW not SYN?,eth1,eth0) - 10
    > packets
    > To 192.168.2.1 - 117 packets
    > Service: domain (udp/53) (INPUT,eth1,none) - 117 packets
    > To 192.168.2.7 - 313 packets
    > Service: netbios-ns (udp/137) (INPUT,eth1,none) - 84 packets
    > Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 229
    > packets
    >
    > 192.168.2.2 is our file server
    > 192.168.2.3 is our internal Web server
    > 192.168.2.1 is the IPCop machine's NIC
    > 192.168.2.7 is the broadcast IP for the subnet
    >
    > Why in the world are the two servers sending so much traffic to the
    > broadcast IP?!


    Given the target ports of those packets, my guess is that you have SMB
    servers running on 192.168.2.2 and 192.168.2.3, and they are performing the
    requisite scan of your network for SMB client machines and SMB domain
    controllers. netbios-ns is the SMB "Name server" port that lets client SMB
    systems determine SMB network names, while netbios-dgm is the SMB datagram
    port.



    --
    Lew Pitcher

    Master Codewright & JOAT-in-training | Registered Linux User #112576
    http://pitcher.digitalfreehold.ca/ | GPG public key available by request
    ---------- Slackware - Because I know what I'm doing. ------



  3. Re: Why sending packets to broadcast IP?

    On Jun 26, 11:14*am, Lew Pitcher wrote:
    > In comp.os.linux.networking, n...@celticbear.com wrote:
    > > I noticed a whole lot of traffic going on one of our subnets, and
    > > brought up the IPCop (IDS/firewall/router PC) log summary, and found
    > > this section:

    >
    > > *Logged 832 packets on interface eth1
    > > * * From 192.168.2.2 - 392 packets
    > > * * * *To 192.168.2.1 - 219 packets
    > > * * * * * Service: domain (udp/53) (INPUT,eth1,none) - 219 packets
    > > * * * *To 192.168.2.7 - 170 packets
    > > * * * * * Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 170
    > > packets
    > > --snip--
    > > * * From 192.168.2.3 - 440 packets
    > > * * * *To 192.168.0.9 - 10 packets
    > > * * * * * Service: axon-lm (tcp/1548) (NEW not SYN?,eth1,eth0) - 10
    > > packets
    > > * * * *To 192.168.2.1 - 117 packets
    > > * * * * * Service: domain (udp/53) (INPUT,eth1,none) - 117 packets
    > > * * * *To 192.168.2.7 - 313 packets
    > > * * * * * Service: netbios-ns (udp/137) (INPUT,eth1,none) - 84 packets
    > > * * * * * Service: netbios-dgm (udp/138) (INPUT,eth1,none) - 229
    > > packets

    >
    > > 192.168.2.2 is our file server
    > > 192.168.2.3 is our internal Web server
    > > 192.168.2.1 is the IPCop machine's NIC
    > > 192.168.2.7 is the broadcast IP for the subnet

    >
    > > Why in the world are the two servers sending so much traffic to the
    > > broadcast IP?!

    >
    > Given the target ports of those packets, my guess is that you have SMB
    > servers running on 192.168.2.2 and 192.168.2.3, and they are performing the
    > requisite scan of your network for SMB client machines and SMB domain
    > controllers. netbios-ns is the SMB "Name server" port that lets client SMB
    > systems determine SMB network names, while netbios-dgm is the SMB datagram
    > port.
    >


    Ah, that makes sense.
    Just the number of packets surprised me.
    Thanks for the info!

+ Reply to Thread