5

Recently the whole network at work is being hit by multicast traffic originating on the LAN itself. I did some investigating and the service which seems to be responsible is ws-discovery.

I have attached a screenshot of wireshark capturing the traffic. I have tried shutting down the source machine from which it was originating, but the multicast traffic still seems to be present in the network.

Image

My network topology

2 subnets - 10.10.10.0/24 and 10.20.10.0/24. Gateway is a debian system. We have 3 switches for 3 floors. They are all unmanaged Dlink 24-port switches.

Multicast blocking at switch level is out of the question. Any solutions? :(

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
Nel
  • 179
  • 1
  • 11
  • You don't happen to have any network loops (in topology), do you? That could easily explain ghost traffic. Also, there are quite a few services/programs that may rely on ws-discovery, so completely disabeling it may not be feasible. Limiting it to 'normal' levels may be more suitable. – Joris Feb 15 '11 at 06:07
  • What sort of loops should i be looking into? Sorry im still a newbie! Also svchost.exe is the one responding on all the machines. The multicast ip is 239.255.255.250. The multicast was going on to ws-discovery whose port was 3702. Right now its completely stopped. – Nel Feb 15 '11 at 06:24
  • 1
    AHHHHH! You were right! It was a network loop. One person had connected back a freely hanging wire of the switch back into it!!! Jeebus! Thanks Joris – Nel Feb 15 '11 at 06:54
  • @Joris out of curiosity, why did you make your loop suggestion as a comment, rather than an answer? I've seen lots of people doing the same recently on serverfault, but I'm not sure why. – Daniel Lawson Apr 08 '11 at 22:31
  • @Joris Yes, please post it as a comment so i can select it as an answer ;) – Nel Apr 10 '11 at 09:22
  • A note - the correct thing to do is to follow sysadmin1138's advice. It's important that the network be resilient to loops, lest someone take down your network simply by controlling a pair of network jacks and a cable. – Falcon Momot Aug 04 '13 at 10:03

1 Answers1

1

I've seen very similar traffic on my own network. It ended up being a misconfigured rendezvous point in the Cisco router configs. Multicast in Cisco-land requires a rendezvous point to prevent loops. I don't know if that's at all applicable in your setup, though.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • We do have a cisco 1841, but thats facing outward from the gateway. I dont think that is the problem although i could have a look. The multicast traffic was at about 9-10 Mbits which brought the whole network to a crawl, but now its at 1-2Mbits, I have no clue how or why its reduced! – Nel Feb 15 '11 at 06:04
  • @nel It's worth a look. The event I'm thinking of had some of the cisco gear itself repeating mcast traffic it was seeing. – sysadmin1138 Feb 15 '11 at 06:05
  • Just checked in the configs, nothing related to multicast is setup in there. – Nel Feb 15 '11 at 06:23
  • @Nel You may need to set something. Unfortunately, I'm not fluent in Cisco so someone else will have to help you with that. – sysadmin1138 Feb 15 '11 at 06:25