Internetwork Performance Monitor Broadcast Traffic

Unanswered Question
Aug 31st, 2010

About a month ago we migrated out CiscoWorks server to VMware. Ever since we have had a significant amount of broadcast traffic coming from the server. We have noticed this as it is stopped by our firewall.

This traffic is broadcast on UDP port 44342 and 42342

There is also broadcast traffic to the subnet of the server on UDP port 137

From nbstat I can see that this traffic is coming from Internetwork Performance Monitor.

The traffic follows an interesting pattern in that for about 3 days after the server is rebooted it appears constantly then stops completely. After the next reboot the traffic appears again.

Is there anything that can be done to stop this traffic without stopping IPM from working?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Wed, 09/01/2010 - 21:17

Why do you think IPM is sending this traffic?  UDP port 137 is used by Windows for the NetBIOS name service (i.e. resolving NetBIOS names to IP).  I don't see how IPM would need to do a lot of lookups.  However, something like Campus UT may do this when it runs acquisition if the end hosts do not have entries in DNS.

Andrew Klinke Thu, 09/09/2010 - 01:43

After seeing the traffic hit our firewall I did a netstat on the Cisco Works server and found traffic on UDP ports 44342 & 42342 from the process osiagent.exe. Through services I traced this back to the Cisco Works services.

I have seen a post which says this is COBRA agent advertisement traffic. It this so?

If so what exactly is the role of the COBRA agent and can it be administered?



Actions

This Discussion