+ Post New Thread
Results 1 to 7 of 7
Wired Networks Thread, Wireshark Capture ARP Broadcasts - Do I have a loop? in Technical; Hi All, We've been experiencing excessive broadcasts in my company for a while now which sometimes cause brief outages. I ...
  1. #1
    MrP
    MrP is offline

    Join Date
    Nov 2013
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Wireshark Capture ARP Broadcasts - Do I have a loop?

    Hi All,

    We've been experiencing excessive broadcasts in my company for a while now which sometimes cause brief outages. I started running Wireshark to capture broadcasts during these storms by mirroring the uplink port of one of the switches. The output of the capture is as follows:-

    289837 2013-11-04 16:43:46.503029000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289838 2013-11-04 16:43:46.503036000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289839 2013-11-04 16:43:46.503044000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289840 2013-11-04 16:43:46.503053000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289841 2013-11-04 16:43:46.503060000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289842 2013-11-04 16:43:46.503066000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289843 2013-11-04 16:43:46.503071000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289844 2013-11-04 16:43:46.503078000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289845 2013-11-04 16:43:46.503083000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289846 2013-11-04 16:43:46.503089000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289847 2013-11-04 16:43:46.503094000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89
    289848 2013-11-04 16:43:46.503100000 Vmware_a2:00:c0 Broadcast ARP Who has 10.163.255.5? Tell 10.163.255.89

    This literally goes on for hundreds or thousands of packets within the same second. Does this mean I have a loop somewhere in the network causing duplicate ARP Broadcast packets? The device (10.163.255.89) is a server for video conferencing units and 10.163.255.5 is a video conferencing unit. When we get these broadcast storms, the captures seems only to pick up these ARPs from devices on the video conferencing VLAN which is an end-to-end VLAN, therefore it is geographically spread across most of the network with QoS priority so when this happens, it throttles all of the uplinks, sometimes causing outages. As far as I know MSTP is configured on all switches, but I'm relatively new to this network and there are over 200 switches.

    Thanks in advance for any advice on this.

  2. #2
    Marshall_IT's Avatar
    Join Date
    Jul 2011
    Location
    Leeds
    Posts
    488
    Thank Post
    76
    Thanked 61 Times in 52 Posts
    Blog Entries
    1
    Rep Power
    18
    Do you always get the tell to the same device or is it different devices too?

  3. #3

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,626
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    I'm looking into a similar issue with a VMWare host.
    Ping any VM hosted on the VMWare cluster and the first view packets are lost, after this the VMWare host responds and the ping is sustained at the expected rate.
    We are not yet certain if the issue is hardware based on the host (an HP3000 Blade) or the VMWare 4.1 virtual switch.

    It's causing the client a lot of grief the original supplier and their VMWare experts have so far drawn a blank, but out testing has brought us to the Host/VMWare config which we can see has not been updated in 3.5 Years!

    How is your Host/Virtual switch configured? and what physical resources do those IP addresses refer to?

    In our case it appears to be an ARP issue at the VMWare level.

  4. #4
    MrP
    MrP is offline

    Join Date
    Nov 2013
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Marshall_IT View Post
    Do you always get the tell to the same device or is it different devices too?
    Hi Marshall, it's not always the same device, but they are always related devices on the same subnet (10.163.255.0/24), ie they are always video conferencing units or servers for video conferencing.

  5. #5

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    Not a VMWare expert, but I did find this post on a previous known issue with ESX sending out excessive RARP broadcasts... worth checking you have the updates that fix it?

    Possible reasons for RARP storms from an ESX host | VirtuallyHyper

  6. #6
    MrP
    MrP is offline

    Join Date
    Nov 2013
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by m25man View Post
    I'm looking into a similar issue with a VMWare host.
    Ping any VM hosted on the VMWare cluster and the first view packets are lost, after this the VMWare host responds and the ping is sustained at the expected rate.
    We are not yet certain if the issue is hardware based on the host (an HP3000 Blade) or the VMWare 4.1 virtual switch.

    It's causing the client a lot of grief the original supplier and their VMWare experts have so far drawn a blank, but out testing has brought us to the Host/VMWare config which we can see has not been updated in 3.5 Years!

    How is your Host/Virtual switch configured? and what physical resources do those IP addresses refer to?

    In our case it appears to be an ARP issue at the VMWare level.
    You might be onto something. We don't manage the configuring of our UCS Switch so I can't see the configuration unfortunately - my vision from a networking perspective stops at the HP switches it is connected to. The .89 address is the virtual server for video conferencing (TMS) and the .5 address is a video conferencing unit.

  7. #7
    MrP
    MrP is offline

    Join Date
    Nov 2013
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by AngryTechnician View Post
    Not a VMWare expert, but I did find this post on a previous known issue with ESX sending out excessive RARP broadcasts... worth checking you have the updates that fix it?

    Possible reasons for RARP storms from an ESX host | VirtuallyHyper
    I think this is a strong possibility. There are other captures I have that are almost purely Gratuitous ARPs from the same virtual TMS Server. I will have another read through before I decide how I'm going to implement it. I will let you know the result. Thank you all for your help.

SHARE:
+ Post New Thread

Similar Threads

  1. How much disk space do you have for SIMS.net?
    By indiegirl in forum MIS Systems
    Replies: 91
    Last Post: 12th November 2007, 02:10 PM
  2. How many technical Staff do you have ?
    By Face-Man in forum How do you do....it?
    Replies: 22
    Last Post: 16th November 2006, 09:42 AM
  3. ARP overwritten DOS
    By CyberNerd in forum Wireless Networks
    Replies: 1
    Last Post: 24th May 2006, 12:10 PM
  4. Flight deck, how many do you have running for the tests?
    By tosca925 in forum ICT KS3 SATS Tests
    Replies: 7
    Last Post: 12th May 2006, 06:03 PM
  5. Replies: 13
    Last Post: 14th January 2006, 04:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •