General discussion



By carsten.holfelder ·
I have got a switched network with about 1600 devices connected to it. I have connected a packet sniffer onto the network and I noticed that I am able to sniff a lot of packets that should have been switched - Directed Traffic. When I check the data packets I noticed that there is a destination MAC Address in the data packet. I connected the packet sniffer to a different section on the network and it is the same. When I check on the switches the MAC Address is not in the ARP table. I have increased the aging time of the arps cache and it has made no difference. My main switches are Dell Poweredge 5324 and the rest are a mix between 3Com and Cabletron. The switches are not even sending a broadcast packet asking for the MAC Address of the Server or Computer. When I check the port where the server is connected to it doesn't show the MAC Address of the server. What can I do to solve this problem. Thanks Carsten

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by sgt_shultz In reply to Broadcasts

don't we need to know more like server and wkstn os and domain config? wonder who the mac address belongs to. i couldn't guess why going thru switches but think you are on right track trying to id traffic. you are way ahead of me carsten but my wild guess is a printer discovery software? looking for a mac address plinked in by admin somewhere? what is 'source' address? is it coming from all over. search mskb or technet looking for info on conversations using mac address in destination address?

Collapse -

by carsten.holfelder In reply to

Thanks for your assistance I checked mskb and found the following solution
Network Load Balancing's behavior is intended to make sure that incoming packets for a Network Load Balancing cluster are simultaneously received by all Network Load Balancing hosts on the same subnet. To do so, Network Load Balancing sets the MAC address of its network adapter on each cluster host to the same value that is associated with the virtual Internet Protocol (IP) addresses. Network Load Balancing also modifies all outgoing packets to mask this address and thereby prevents the address's discovery by the switch to which Network Load Balancing hosts are connected. As a result, the switch broadcasts the incoming packets that are intended for the Network Load Balancing cluster's MAC address on all ports, and all Network Load Balancing hosts simultaneously receive these packets.


To work around this compatibility problem, use any of the following methods:

? Switch to Network Load Balancing multicast mode.You can configure Network Load Balancing to use multicast mode. If you do so, Network Load Balancing uses ISO layer 2 multicast to simultaneously distribute incoming packets to all cluster hosts. In this mode, Network Load Balancing does not modify the hardware MAC address of outgoing packets, and the compatibility problem with BIG-IP does not occur. You may not be able to use multicast mode in all installations because it is not compatible with some Cisco routers. (See Network Load Balancing 's Online help for more details.)

? Use a hub instead of a switch. If you connect Network Load Balancing hosts to a hub instead of to a switch, all incoming packets are automatically broadcast to all cluster hosts. In this situation, you can turn off Network Load Balancing's default behavior that masks hardware MAC addresses in unicast mode by setting the Network Load Balancing MaskSourceMAC registry value to 0 (the default setting for this value is 1). See the Windows 2000 Advanced Server Resource Kit for more details.

Collapse -

by carsten.holfelder In reply to Broadcasts

Is it a web based application that run a SQL server in the background. There are four IIS servers running with microsoft NLB (Network Load Balancing) between them. Two servers are connected in one switch and the other two in a anouther switch. The replys from the server to the clients are directed. It is only the traffic that is going to the servers that are being broadcast. The servers have got two nics in them. One is for the NLB which the clients access and the other is used for a maintenance connection.

Collapse -

by carsten.holfelder In reply to Broadcasts

This question was closed by the author

Related Discussions

Related Forums