IT Trenches

Dec 18 2009   8:33PM GMT

Broadcast traffic told me the network was contaminated

Troy Tate Profile: Troy Tate

If you don’t know what’s broadcasting on your network, you don’t know your network! I recently discovered a rogue network cross-connection on a network. The cross connect was from an unmanaged internet connection to a private LAN. The way I discovered this was using Wireshark and listening for all traffic not from the private LAN IP range. I used a capture filter of “not 172.16.88.0/24″. This showed all non-IP traffic and especially all broadcast traffic on the network. Lo and behold, a device was doing broadcasts on a network starting with 221.x.x.x. Hmmm… a device is either misconfigured or there is a cross-connect that no one knows about or isn’t telling anyone about. The Wireshark screen is shown below highlighting just one example ARP packet showing the traffic in question.

The display filter I have in the box removes spanning tree protocol (STP) and AppleTalk ZIP broadcasts.

This is definitely unexpected and unwelcome traffic. I asked the person to immediately find and remove this rogue connection.

So, I recommend every now and then putting up Wireshark and listening to broadcasts on your network. It’s talking to you!

Has your network told you anything interesting lately? Tell me and other ITKE readers about it. Thanks for reading and let’s be good network citizens!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: