HP接入点从不是自己的IP发送组播数据包

我不是我们正常的networking人员…我刚刚被起草帮助解决这个问题,所以请耐心等待。

我们有一个相当大的(大约4000个设备?)networking,大部分是由HP Procurve设备组成的。 在过去的几个星期里,我们一直在收到一些广播风暴,几乎所有的stream量都是通过networking传送的。 我build立了Wireshark做5MB的转储,今天早上我在这个行为中发现了一些。

您可以下载数据包捕获 。 乐趣始于包#23968。 看似畸形的NBNS数据包一遍又一遍地重复着。 但是,这不仅仅是一个直线循环。 源(143.226.8.185)和目标(143.226.44.79)IP地址保持不变,但源MAC地址更改。 第一个数据包似乎来自networking上的一些微不足道的设备,并被发送到多播地址01:00:5e:7f:ff:fa。 之后的所有数据包都来自我们惠普无线接入点的MAC地址,并发送到不同的多播地址01:00:5e:62:2c:4f。

这是第一包:

No. Time Source Destination Protocol Info 23968 122.229240 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet] Frame 23968 (1038 bytes on wire, 1038 bytes captured) Arrival Time: Sep 15, 2010 08:32:44.329966000 [Time delta from previous captured frame: 0.004744000 seconds] [Time delta from previous displayed frame: 0.004744000 seconds] [Time since reference or first frame: 122.229240000 seconds] Frame Number: 23968 Frame Length: 1038 bytes Capture Length: 1038 bytes [Frame is marked: True] [Protocols in frame: eth:ip:udp:nbns] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa) Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa) Address: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b) Address: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Trailer: 7773643D22687474703A2F2F736368656D61732E786D6C73... Frame check sequence: 0x6f70653e [incorrect, should be 0x30019938] Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 203 Identification: 0x00d0 (208) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0xe485 [correct] [Good: True] [Bad : False] Source: 143.226.8.185 (143.226.8.185) Destination: 143.226.44.79 (143.226.44.79) User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137) Source port: netbios-ns (137) Destination port: netbios-ns (137) Length: 183 Checksum: 0x01db [validation disabled] [Good Checksum: False] [Bad Checksum: False] NetBIOS Name Service Transaction ID: 0x4d2d Flags: 0x5345 (Unknown operation) 0... .... .... .... = Response: Message is a query .101 0... .... .... = Opcode: Unknown (10) .... ..1. .... .... = Truncated: Message is truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Broadcast: Not a broadcast packet Questions: 16722 Answer RRs: 17224 Authority RRs: 8234 Additional RRs: 8264 Queries Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (12081) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (11631) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25701) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25914) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25970) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (18273) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (24953) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (26979) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (3338) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (14882) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (28730) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25455) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (8717) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (28513) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (29287) [Malformed Packet: NBNS] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Message: Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed] 

这是下一个数据包:

 No. Time Source Destination Protocol Info 23969 122.229836 143.226.8.185 143.226.44.79 NBNS Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet] Frame 23969 (217 bytes on wire, 217 bytes captured) Arrival Time: Sep 15, 2010 08:32:44.330562000 [Time delta from previous captured frame: 0.000596000 seconds] [Time delta from previous displayed frame: 0.000596000 seconds] [Time since reference or first frame: 122.229836000 seconds] Frame Number: 23969 Frame Length: 217 bytes Capture Length: 217 bytes [Frame is marked: True] [Protocols in frame: eth:ip:udp:nbns] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: HewlettP_05:de:da (00:17:a4:05:de:da), Dst: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f) Destination: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f) Address: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f) .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: HewlettP_05:de:da (00:17:a4:05:de:da) Address: HewlettP_05:de:da (00:17:a4:05:de:da) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 203 Identification: 0x00d0 (208) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 127 Protocol: UDP (0x11) Header checksum: 0xe585 [correct] [Good: True] [Bad : False] Source: 143.226.8.185 (143.226.8.185) Destination: 143.226.44.79 (143.226.44.79) User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137) Source port: netbios-ns (137) Destination port: netbios-ns (137) Length: 183 Checksum: 0x01db [validation disabled] [Good Checksum: False] [Bad Checksum: False] NetBIOS Name Service Transaction ID: 0x4d2d Flags: 0x5345 (Unknown operation) 0... .... .... .... = Response: Message is a query .101 0... .... .... = Opcode: Unknown (10) .... ..1. .... .... = Truncated: Message is truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... ...0 .... = Broadcast: Not a broadcast packet Questions: 16722 Answer RRs: 17224 Authority RRs: 8234 Additional RRs: 8264 Queries Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (12081) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (11631) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25701) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25914) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25970) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (18273) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (24953) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (26979) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (3338) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (14882) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (28730) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (25455) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (8717) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (28513) Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287) Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding) Type: unknown Class: Unknown (29287) [Malformed Packet: NBNS] [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)] [Message: Malformed Packet (Exception occurred)] [Severity level: Error] [Group: Malformed] 

疯了,不? 如果你仔细观察数据包捕获,你会看到这个数据包在那之后重复了很多。 之后,继续进行,还有更多的文件。

如果这是一个循环,那么为什么只有我们的AP发送这个数据包呢? 这些AP分散在我们的校园。

有关我们networking的更多信息…这是平坦的。 直通以太网运行到一切,我们有一个B类的IP块。 没有子网。 在我们的networking和我们的WAN连接之间有一个数据包整形器,防火墙和路由器。

最后,如果你看到这个post,而且看起来很熟悉,那是因为我过去也发过一个类似的问题,我们还没有解决,但最近没有看到。 这可以在发送多播ping请求的HP交换机上find。

非常感谢您的时间!

编辑:数据包23968被确认为这个组播风暴的触发器。 我已经重播了一个数据包到我们的networking,并再次踢了它。

编辑/更新:做更多的实验。 我已经把我们的惠普接入点之一,并直接插入到我的电脑。 没有别的附加到该段。 如果我向AP回放造成问题的初始数据包,AP将回复一次。 如果我将AP的回复重放回AP,它会再次回复。 每次这样做,TTL都降低了。 这里发生的事情是,networking上的AP最初听到来自主机的破碎的多播数据包,并通过多播回复它。 每个AP从所有其他AP收到这些回复,并回复给他们。 每个AP听到对这些回复的答复并回复给他们。 幸运的是,它每次都会降低TTL,所以一旦TTL达到0,风暴就会消失,数据包就会被杀死。 现在我需要做的是弄清楚如何阻止这种行为!

我在我面前的AP是HP Procruve 420 J8130B。

编辑(已解决!):尝试貌似每个configuration设置的AP后,我仍然无法阻止它重新发送这些组播数据包。 我发现我们不是最新的固件,所以我尝试升级,但问题依然存在。 然后我试图从2006年11月29日降级到版本2.1.7。没有这个固件的问题! 运行2.1.7的AP不会重新传输数据包! 我还在等待弄清楚垃圾数据是如何进入networking的,但问题现在已经解决了。 我们正在与惠普进行一个错误报告。

首先,这些不是NBNS数据包,实际上是试图search“Internet网关设备”的设备的通用即插即用数据包。 UPNP-IGD使用IPv4多播来定位这样的边缘设备。 协议,比如说,应该只有一个。 数据包有效载荷是:

  M-SEARCH * HTTP / 1.1
主持人:239.255.255.250:1900
 ST:金塔:架构通用即插即用型组织:设备:InternetGatewayDevice:1
男子: “SSDP:发现”
 MX:3

 .xmlsoap.org / ws / 2004/08 / addressing“xmlns: 

某些应用程序使用IGD来告知消费者NAT网关如何处理某些协议的NAT穿越。 IM应用程序等。 通过告诉它将UDP / 137解码为用于捕获的HTTP,你可以使Wireshark更好地展示事物。

现在, 为什么这是造成组播风暴的一个大问题。 在风暴袭击之前,你已经获得了相同types的数据包,但是它们正确地被发送到了239.255.255.250:1900。 实际上,数据包23955来自同一个在23968开始风暴的设备。然而,数据包23968显示相同的目的地MAC地址(一个表示IPv4多播),但是目的地IP地址在你的/ 16块内,并且不应该多播。

数据包23604也非常畸形。 它有一个有效的以太网报头,但是IP报头被奇怪地截断,并且以上面引用的相同的UPNP-IGDstring结束。 发出这个奇怪的,奇怪的数据包的设备是相同的设备(好吧,来自同一个MAC地址,无论如何)作为数据包23968,踢出组播风暴。

我最好的select就是00:1F:3B:D2:5E:6D的设备是以某种方式被占用的,或者是唯一不正确地处理这些UPNPsearch请求的。 数据包24717显示另一个来自同一设备的另一个M-SEARCH请求239.255.255.250:3702。 正确的IP地址,错误的端口(应该是1900)。

我的猜测是组播风暴正在被一个单播IP地址到达一个多播MAC地址的数据包踢走,你的networking设备不能正确处理这个无效的情况。 这是在最初的一个都声称从相同的IP(143.226.8.185)源,但MAC地址都是不同的事实暗示。 你有一个坏的设备,设法find你的networking设备的组播/单播处理错误。

@布拉德:我刚刚看到这个,想知道是否让你对这个问题有所了解。

http://support.microsoft.com/kb/317843

我的build议是打开发送广播的主机中的任务pipe理器,并尝试closures所有可能发送内容到networking的应用程序,同时查看networking中的包(Wireshark)以进行search为有问题的应用程序。