独自のものではないIPからマルチキャストパケットを送信するHPアクセスポイント
私は通常のネットワーク担当者ではありません...この問題を解決するためにドラフトされたばかりなので、ご容赦ください。
HP Procurveギアで大部分が構成されている、かなり大規模な(〜4,000デバイス?)ネットワークがあります。過去数週間にわたって、他のすべてのトラフィックがネットワークを介して送信されないようにするブロードキャストストームが発生することがあります。私はWiresharkをセットアップして5MBのダンプを実行しましたが、今朝の行為でこれの一部をキャッチしました。
パケットキャプチャをダウンロード できます。楽しみはパケット#23968から始まりました。一見不正な形式のNBNSパケットが何度も繰り返されます。しかし、それは単なるループではありません。送信元(143.226.8.185)と宛先(143.226.44.79)のIPアドレスは同じままですが、送信元MACアドレスが変更されます。最初のパケットは、ネットワーク上の重要でないデバイスから送信されたようで、マルチキャストアドレス01:00:5e:7f:ff:faに送信されます。その後のすべてのパケットは、HPワイヤレスアクセスポイントのMACアドレスから送信され、別のマルチキャストアドレス01:00:5e:62:2c:4fに送信されます。
これが最初のパケットです:
No. Time Source Destination Protocol Info
23968 122.229240 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]
Frame 23968 (1038 bytes on wire, 1038 bytes captured)
Arrival Time: Sep 15, 2010 08:32:44.329966000
[Time delta from previous captured frame: 0.004744000 seconds]
[Time delta from previous displayed frame: 0.004744000 seconds]
[Time since reference or first frame: 122.229240000 seconds]
Frame Number: 23968
Frame Length: 1038 bytes
Capture Length: 1038 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
Address: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
Address: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 7773643D22687474703A2F2F736368656D61732E786D6C73...
Frame check sequence: 0x6f70653e [incorrect, should be 0x30019938]
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 203
Identification: 0x00d0 (208)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0xe485 [correct]
[Good: True]
[Bad : False]
Source: 143.226.8.185 (143.226.8.185)
Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 183
Checksum: 0x01db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
NetBIOS Name Service
Transaction ID: 0x4d2d
Flags: 0x5345 (Unknown operation)
0... .... .... .... = Response: Message is a query
.101 0... .... .... = Opcode: Unknown (10)
.... ..1. .... .... = Truncated: Message is truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Broadcast: Not a broadcast packet
Questions: 16722
Answer RRs: 17224
Authority RRs: 8234
Additional RRs: 8264
Queries
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (12081)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (11631)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25701)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25914)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25970)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (18273)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (24953)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (26979)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (3338)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (14882)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28730)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25455)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (8717)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28513)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (29287)
[Malformed Packet: NBNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
次のパケットは次のとおりです。
No. Time Source Destination Protocol Info
23969 122.229836 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]
Frame 23969 (217 bytes on wire, 217 bytes captured)
Arrival Time: Sep 15, 2010 08:32:44.330562000
[Time delta from previous captured frame: 0.000596000 seconds]
[Time delta from previous displayed frame: 0.000596000 seconds]
[Time since reference or first frame: 122.229836000 seconds]
Frame Number: 23969
Frame Length: 217 bytes
Capture Length: 217 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:udp:nbns]
[Coloring Rule Name: SMB]
[Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: HewlettP_05:de:da (00:17:a4:05:de:da), Dst: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
Destination: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
Address: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HewlettP_05:de:da (00:17:a4:05:de:da)
Address: HewlettP_05:de:da (00:17:a4:05:de:da)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 203
Identification: 0x00d0 (208)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 127
Protocol: UDP (0x11)
Header checksum: 0xe585 [correct]
[Good: True]
[Bad : False]
Source: 143.226.8.185 (143.226.8.185)
Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
Source port: netbios-ns (137)
Destination port: netbios-ns (137)
Length: 183
Checksum: 0x01db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
NetBIOS Name Service
Transaction ID: 0x4d2d
Flags: 0x5345 (Unknown operation)
0... .... .... .... = Response: Message is a query
.101 0... .... .... = Opcode: Unknown (10)
.... ..1. .... .... = Truncated: Message is truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...0 .... = Broadcast: Not a broadcast packet
Questions: 16722
Answer RRs: 17224
Authority RRs: 8234
Additional RRs: 8264
Queries
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (12081)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (11631)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25701)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25914)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25970)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (18273)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (24953)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (26979)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (3338)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (14882)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28730)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (25455)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (8717)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (28513)
Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
Type: unknown
Class: Unknown (29287)
[Malformed Packet: NBNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
クレイジーじゃない?パケットキャプチャを見ると、このパケットの多くがその時点以降に繰り返されていることがわかります。その後、さらにいくつかのファイルに移動します。
これがループの場合、なぜAPだけがこのパケットを送信するのでしょうか。これらのAPは、キャンパス全体に散在しています。
私たちのネットワークについてもう少し情報...それはすべてフラットです。ストレートイーサネットはすべてに対応しており、クラスBのIPブロックがあります。サブネットはありません。ネットワークとWAN接続)の間には、パケットシェイパー、ファイアウォール、ルーターがあります。
最後に、この投稿をご覧になり、ご存知のように思われる場合は、過去に同様の問題を投稿しましたが、まだ解決されていませんが、最近は確認されていません。これは マルチキャストping要求を送信するHPスイッチ にあります。
どうもありがとうございました!
編集:パケット23968がこのマルチキャストストームのトリガーであることが確認されています。その1つのパケットをネットワークに再生し、再度開始しました。
編集/更新:さらに実験を行います。 HPアクセスポイントの1つを使用して、PCに直接接続しました。セグメントには他に何も添付されていません。 APに問題を引き起こしていた最初のパケットを再生すると、APは1回応答します。 APの応答をAPに再生すると、APは再度応答します。これを行うたびに、TTLが低下します。ここで起こっていることは、ネットワーク上のAPが最初にホストからの壊れたマルチキャストパケットを聞き、マルチキャストを介してそれに応答することです。各APは聞きます。これらの応答は他のすべてのAPから送信され、それらに応答します。各APは、応答に対するすべての応答を聞き、それらに応答します。幸い、嵐が発生するたびにTTL TTLが0になり、パケットが強制終了されるとすぐに、この動作を停止する方法を理解するだけです。
目の前にあるAPは、HP Procruve 420J8130Bです。
編集(解決済み!):APですべての構成設定を試した後でも、マルチキャストパケットの再送信を防ぐことができませんでした。最新のファームウェアを使用していないことがわかったので、アップグレードしてみましたが、問題は解決しませんでした。次に、2006年11月29日からバージョン2.1.7にダウングレードしてみました。このファームウェアに問題はありません。 2.1.7を実行しているAPはパケットを再送信しません!!!そもそもジャンクデータがどのようにネットワークに到達したのかを理解するのをまだ待っていますが、今のところ問題は解決しています。 HPでバグレポートを作成しています。
何よりもまず、これらはNBNSパケットではなく、実際には「インターネットゲートウェイデバイス」対応デバイスを検索しようとするユニバーサルプラグアンドプレイパケットです。 UPNP-IGDは、IPv4マルチキャストを使用してそのようなエッジデバイスを見つけます。それがそうであるように、プロトコルは、1つだけであるべきであると言っています。景品はパケットペイロードにあります:
M-SEARCH * HTTP/1.1 Host:239.255.255.250:1900 ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1 Man: "ssdp:discover " MX:3 。xmlsoap.org/ws/2004/08/addressing"xmlns:
IGDは、一部のアプリケーションで使用され、コンシューマーにNATゲートウェイの処理方法NAT特定のプロトコルのトラバーサルを指示します。IMアプリケーションなど。Wiresharkに表示させることができます。そのキャプチャのHTTPとしてUDP/137をデコードするように指示することでより良いです。
さて、なぜこれがマルチキャストストームを引き起こしているのは大きな問題です。嵐が発生するかなり前に同じ種類のパケットを受信していますが、それらは239.255.255.250:1900に正しく送信されています。実際、パケット23955は、23968でストームを開始した同じデバイスから送信されます。ただし、パケット23968は同じ宛先MACアドレス(IPv4マルチキャストを示すもの)を示していますが、宛先IPアドレスは/ 16ブロックにあり、すべきではありません。マルチキャストである。
パケット23604も非常に奇形です。有効なイーサネットヘッダーがありますが、IPヘッダーが奇妙に切り捨てられ、上記で引用したのと同じUPNP-IGD文字列で終わります。この奇妙で奇妙なパケットを発行したデバイスは、マルチキャストストームを開始したパケット23968と同じデバイスです(とにかく同じMACアドレスから来ています)。
この時点での私の最善の策は、00:1F:3B:D2:5E:6Dのデバイスが何らかの方法でホース接続されているか、これらのUPNP検索要求を一意に正しく処理していないことです。パケット24717は、同じデバイスからの239.255.255.250:3702に送信される別のM-SEARCH要求を示しています。正しいIPアドレス、間違ったポート(1900である必要があります)。
私の推測では、マルチキャストストームは、マルチキャストMACアドレスとともに到着するユニキャストIPアドレスを持つパケットによって開始されており、ネットワークデバイスはその無効なケースを正しく処理していません。これは、最初のパケットの後のパケットがすべて同じIP(143.226.8.185)から発信されていると主張しているが、MACアドレスがすべて異なるという事実を示唆しています。ネットデバイスのマルチキャスト/ユニキャスト処理のバグを見つけることができた不良デバイスがあります。
ブロードキャストを送信しているホストでタスクマネージャーを開き、ネットワークに何かを送信する可能性のあるすべてのアプリケーションを1対1で閉じ、同時にネットワーク内のパッケージ(Wireshark)を調べて検索することをお勧めします。問題を引き起こしているアプリのために。
@ブラッド:私はこれを見たばかりで、問題について何か洞察が得られるかどうか疑問に思っています。