Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Network analyzer 1

Status
Not open for further replies.
gmangil

gmangil

IS-IT--Management
Nov 14, 2005
1
US
Help,

I am running a Novell network and it seems I have a nic somewhere broadcasting and overloading my network. I am trying to find a free tool to track which NIC or IP is flooding my system. Does anyone have any ideas. I looked at Ethereal but it only tracks incoming and outgoing packets from the machine it is instlled on. i need to track all ip's.

Thanks,

 
Sort by date Sort by votes
That's incorrect about ethereal , depends on how you use it . Also you don't indicate what kind of network it is , everything on 1 lan etc . If it's on single switch you can just span everything in the vlan to a desitnation port on the switch and this will create a copy of all lan traffic to that source port and then you can look at it with your ethereal analyzer.
 
Upvote 0 Downvote
The key to capturing all of the packets seen by your NIC is to put the analyzer in promiscuous mode. This is a checkbox in the capture setup.

The other thing to keep in mind is that on a switched network you will only see packets to and from the analyzer as well as broadcasts and multicasts. The switch will not forward any other packets to your analyzer.

Mike
 
Upvote 0 Downvote
If the machine that you are looking for is actually broadcasting, you will see that with Ethereal regardless of where on your subnet you install it. The fact that you didn't see any broadcast traffic with Ethereal indicates that you aren't having a broadcast storm.

In a switched environment (like the one that you are in) you should be able to simply look at the LEDs on the switch and identify a noisy machine, because only it's port, and the port of its destination traffic should be flashing wildly. In a broadcast storm, all LEDs flash, but you will see the traffic on any port with Ethereal.

Ethereal behaves like any protocol analyzer in a switched environment, it can only see the traffic that is destined for the port on which it is installed. That will include all broadcast traffic, and any traffic to a host on that port. If you have a managed switch, you can set a port to "mirror" or "monitor" another port. Then you will see all of the traffic to and from that port instead.

If you don't have a managed switch, you can look for an application that will allow you to do ARP cache poisoning. Poisoning the cache will allow you to see all traffic for all ports for a short period of time while the switch attempts to rebuild its cache. You can continue to poison until you collect enough traffic.

What symptoms are you seeing that make you suspect that the network is being overwhelmed?

By the time you work all of this out, you will probably be better off just disconnecting one machine at a time to see where the problem resolves itself. It sounds as if your network is fairly small.


pansophic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

keyset6
  • Locked
  • Question
Identifying a connected network cable 1
Replies
5
Views
205
keyset6
keyset6
t3rm3y
  • Locked
  • Question
network drops every hour
Replies
0
Views
95
t3rm3y
t3rm3y
Carlvic
  • Locked
  • Question
New router & Network setup.
Replies
0
Views
87
Carlvic
Carlvic
Sumera78630
  • Locked
  • Question
How to See the Bandwidth of over all network
Replies
1
Views
91
VinceWhirlwind
VinceWhirlwind
RodneyMcSnow
  • Locked
  • Question
Voice MPLS Network between 4-sites intermittant connectivity loss
Replies
0
Views
78
RodneyMcSnow
RodneyMcSnow

Part and Inventory Search

Sponsor

Back
Top