Multicast Traffic???

Unanswered Question
Nov 6th, 2007

We have been experiencing high bandwidth (~5Mbps) usage on one of our WAN links out of normal office hours when we would expect there to be very little activity.

A packet capture from the main core switch has shown a lot of what we believe to be multicast traffic, but we have been unable to verify this and track the source. An example packet is below.

How is it best to go about identifying and tracing this traffic?


No. Time Source Destination Protocol Info

1 0.000000 00:00:00_00:fe:00 01:00:5e:0f:01:fa 0x7005 Ethernet II

Frame 1 (1322 bytes on wire, 1322 bytes captured)

Arrival Time: Nov 6, 2007 09:47:28.018484000

[Time delta from previous captured frame: 0.000000000 seconds]

[Time delta from previous displayed frame: 0.000000000 seconds]

[Time since reference or first frame: 0.000000000 seconds]

Frame Number: 1

Frame Length: 1322 bytes

Capture Length: 1322 bytes

[Frame is marked: False]

[Protocols in frame: eth:data]

Ethernet II, Src: 00:00:00_00:fe:00 (00:00:00:00:fe:00), Dst: 01:00:5e:0f:01:fa (01:00:5e:0f:01:fa)

Destination: 01:00:5e:0f:01:fa (01:00:5e:0f:01:fa)

Address: 01:00:5e:0f:01:fa (01:00:5e:0f:01:fa)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: 00:00:00_00:fe:00 (00:00:00:00:fe:00)

Address: 00:00:00_00:fe:00 (00:00:00:00:fe:00)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: Unknown (0x7005)

Data (1308 bytes)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Paolo Bevilacqua Tue, 11/06/2007 - 10:35


Etherype 0x7005 would be "Ungermann-Bass Bridge Spanning Tree", something very old and unlikey to be still in use. Either you have such an antique in the network, or someone is pretending to be taht.

At some point, when the decode doesn't help identifying the source, you must scan all ports in your network to find the culprit based on traffic volume.

Hope this helps, please rate post if it does!


This Discussion