Security Incidents mailing list archives
Re: Ether Broadcast
From: Jeff <jeff () TCNET ORG>
Date: Tue, 19 Dec 2000 15:10:27 -0500
Shawn- In regards to the ethernet broadcast traffic you've been seeing... Microsoft owns the Ethernet protocol type 88-6f (hex). See <URI:http://standards.ieee.org/regauth/ethertype/type-pub.html>. It sounds like a Windows 2000 cluster doing Network Load Balancing. Ethernet protocol type and bandwidth utilization seems to match the following description: ``In unicast mode, each cluster host periodically broadcasts heartbeat messages, and in multicast mode, it multicasts these messages. Each heartbeat message occupies one Ethernet frame and is tagged with the cluster's primary IP address so that multiple clusters can reside on the same subnet. Network Load Balancing's heartbeat messages are assigned an ether type-value of hexadecimal 886F. The default period between sending heartbeats is one second, and this value can be adjusted with the AliveMsgPeriod registry parameter. During convergence, the exchange period is reduced by half in order to expedite completion. Even for large clusters, the bandwidth required for heartbeat messages is very low (for example, 24 Kbytes/second for a 16-way cluster).'' <URI:http://www.microsoft.com/TechNet/win2000/nlbovw.asp> With a proper decode of the packet data, you should find the cluster's primary IP address. Enjoy, and thanks for the hunt. :) -jeff -- Jeff Godin Network Specialist Traverse Area District Library / Traverse Community Network jeff () tcnet org
Current thread:
- Ether Broadcast Guins, Shawn (US - Dallas) (Dec 19)
- Re: Ether Broadcast Ryan Russell (Dec 19)
- Re: Ether Broadcast Blair Strang (Dec 19)
- <Possible follow-ups>
- Re: Ether Broadcast Jeff (Dec 19)