Broadcast traffic told me the network was contaminated

Troy Tate — Fri, 18 Dec 2009 20:33:46 +0000

If you don’t know what’s broadcasting on your network, you don’t know your network! I recently discovered a rogue network cross-connection on a network. The cross connect was from an unmanaged internet connection to a private LAN. The way I discovered this was using Wireshark and listening for all traffic not from the private LAN IP range. I used a capture filter of “not 172.16.88.0/24″. This showed all non-IP traffic and especially all broadcast traffic on the network. Lo and behold, a device was doing broadcasts on a network starting with 221.x.x.x. Hmmm… a device is either misconfigured or there is a cross-connect that no one knows about or isn’t telling anyone about. The Wireshark screen is shown below highlighting just one example ARP packet showing the traffic in question.

The display filter I have in the box removes spanning tree protocol (STP) and AppleTalk ZIP broadcasts.

This is definitely unexpected and unwelcome traffic. I asked the person to immediately find and remove this rogue connection.

So, I recommend every now and then putting up Wireshark and listening to broadcasts on your network. It’s talking to you!

Has your network told you anything interesting lately? Tell me and other ITKE readers about it. Thanks for reading and let’s be good network citizens!

IT Trenches » broadcast

Broadcast traffic told me the network was contaminated