Broadcast traffic possible problem

freejlr · Apr 1, 2023

I put them a little in context. I am working in a small company of about 250 users, while I finish my studies.

I am not responsible for the state of the network, far from it...

On some occasions when there is not too much work I start doing my things, I realized when I looked at the PF pflog that I was receiving a lot of broadcast traffic or that is my way of seeing it, I don't know if it is too much.

The network of this company from my knowledge/ignorance is not very good.

You will have about 250 devices connected to a LAN /23 if they are all on the same NO VLAN, NO LAN segmentation etc...

Well, in the pf log I will be receiving about 13,000 broadcast packets in about 30 min. I don't know if that's too much. I can explain more about the network, but in a limited way, since I don't have much access to the devices.

This is an example:

Code:

00:00:00.000000 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.198633 IP 192.168.2.210.56936 > 255.255.255.255.10001: UDP, length 191
 00:00:00.206774 IP 192.168.3.60.37178 > 255.255.255.255.10001: UDP, length 182
 00:00:00.211506 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.401471 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.409610 IP g4wks001.domain.local.57621 > 192.168.3.255.57621: UDP, length 44
 00:00:00.139976 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.006472 IP 192.168.3.97.57929 > 255.255.255.255.10001: UDP, length 185
 00:00:00.055148 IP g4wksrnd04.domain.local.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
 00:00:00.413567 IP 192.168.3.110.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
 00:00:00.000000 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.413581 IP 192.168.2.202.51486 > 255.255.255.255.10001: UDP, length 158
 00:00:00.000010 IP g4wksrnd04.domain.local.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
 00:00:00.097807 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.208493 IP 192.168.3.110.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
 00:00:00.199579 IP 192.168.2.230 > all-systems.mcast.net: igmp v2 report all-systems.mcast.net
 00:00:00.106783 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.099423 IP g4wksrnd04.domain.local.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
 00:00:00.000006 IP 192.168.3.99.42739 > 255.255.255.255.10001: UDP, length 185
 00:00:00.407313 IP 192.168.3.110.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
 00:00:00.030177 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.000010 IP 192.168.3.72.netbios-dgm > 192.168.3.255.netbios-dgm: NBT UDP PACKET(138)
 00:00:00.485054 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.518295 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.000020 IP g4wks033.domain.local.netbios-dgm > 192.168.3.255.netbios-dgm: NBT UDP PACKET(138)
 00:00:00.196157 IP g4pc046.domain.local.17500 > 255.255.255.255.17500: UDP, length 194
 00:00:00.000010 IP g4pc046.domain.local.17500 > 192.168.3.255.17500: UDP, length 194
 00:00:00.305290 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.514348 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.223476 IP 192.168.2.137.50452 > 255.255.255.255.10001: UDP, length 192
 00:00:00.297259 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.196577 IP g4pc048.domain.local.17500 > 255.255.255.255.17500: UDP, length 170
 00:00:00.000040 IP g4pc048.domain.local.17500 > 192.168.3.255.17500: UDP, length 170
 00:00:00.000004 IP g4pc048.domain.local.17500 > 255.255.255.255.17500: UDP, length 170
 00:00:00.000003 IP g4pc048.domain.local.17500 > 255.255.255.255.17500: UDP, length 170
 00:00:00.000002 IP g4pc048.domain.local.17500 > 255.255.255.255.17500: UDP, length 170
 00:00:00.000003 IP g4pc048.domain.local.17500 > 255.255.255.255.17500: UDP, length 170
 00:00:00.306718 IP g4wks030.domain.local.netbios-dgm > 192.168.3.255.netbios-dgm: NBT UDP PACKET(138)
 00:00:00.000023 IP g4wksrnd19.domain.local.53845 > 255.255.255.255.19666: UDP, length 78
 00:00:00.000659 IP 192.168.3.114.netbios-ns > 192.168.3.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

Practically all the traffic is through netbios, the computers have it activated I don't know why, in theory they don't need it. On the other hand, the UDP traffic through port 17500 is due to the DropBox application that users have installed.

Is this very serious? that in 30 minutes my machine has received 13,000 broadcast packets?

I suppose that a network segmentation or a vlan would be better, but we would not solve the problem, I suppose that the best solution is to end the processes that are carrying out this type of traffic.

All this is not my problem, do not report any of this to my manager.

As you see it, should something be done about it?

Thanks.

Alain De Vos · Apr 1, 2023

What function perform the computers as source of the udp trafick ?

cracauer@ · Apr 1, 2023

Looks pretty normal to me. I don't even want to know what kind of broadcast volume I have on my entertainment subnet.

Alain De Vos · Apr 1, 2023

When i was managing a small company network. I found the reason for alot of traffic.
It was not porn, it not a virus, it was everybody listening to internet radio.

freejlr · Apr 3, 2023

Alain De Vos said:
What function perform the computers as source of the udp trafick ?

I think I found the reason, I am used to being a detective, since I have the minimum information.

Apparently on our server that uses Windows Server 2012, apart from acting as AD, it is also assigned the role of DNS and WINS server. That is the reason for the netbios traffic, the server has both enabled, and the DNS service performs a direct query to the WINS list...

WINS updates the statistics every 10 minutes.

cracauer@ said:
Looks pretty normal to me. I don't even want to know what kind of broadcast volume I have on my entertainment subnet.

Well, I thought it would be more worrying to see those 13,000 packages in half an hour.

But in theory the WINS server would not be necessary, there are better ways to do that, or so I think.

Anyway, it's not my problem, and my suggestions are directly redirected to /dev/null

Well, it was just a bit of curiosity, I see that it is not a serious problem after what you comment, possibly that traffic is not even 8% of network traffic.

Thanks.

SirDice · Apr 3, 2023

freejlr said:
Apparently on our server that uses Windows Server 2012, apart from acting as AD, it is also assigned the role of DNS and WINS server. That is the reason for the netbios traffic, the server has both enabled, and the DNS service performs a direct query to the WINS list...

Yeah, turn that WINS crap off. It's for Windows systems before Windows 2000. All of them ancient and you really shouldn't have any of those any more.

freejlr said:
But in theory the WINS server would not be necessary, there are better ways to do that, or so I think.

Since W2K everything depends on DNS only.

Alain De Vos · Apr 3, 2023

Some windows services can indeed be disabled without impact on clients.

freejlr · Apr 5, 2023

As I feared my proposal has been denied, we continue the same. Well at least I was able to know what it is due to.

There are many strange methods in this IT department, maybe there will be a thread one that is off-topic with a list of them. I would like to know the opinion of the community.

Thanks guys.

Broadcast traffic possible problem

Administrator