SMNP Killing local LAN

Unanswered Question
Oct 20th, 2006
User Badges:

Why would would a wireless PC send out 25,000 SMNP packets a second looking for a network printer, when the pc isn't even logged on. When this happens it kills all switches on the site! All lights flashing in sequence and the packets we capture are SNMP GET ISO?


Can someone please help urgently??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
glen.grant Fri, 10/20/2006 - 05:29
User Badges:
  • Purple, 4500 points or more

Don't know whoever owns the wireless pc would have to tell you that , could be just a misconfig , why they are using snmp at all would be the question I would pose to the user. You don't use snmp to look for a printer at least I have never seen anything like that.

carl_townshend Fri, 10/20/2006 - 05:49
User Badges:

Hi there, the thing is, the users werent even doing anything at the time ?

David Stanford Mon, 10/23/2006 - 18:52
User Badges:
  • Cisco Employee,

What snmp software is installed on the pc? What network management software (snmp) does the user have loaded that would be sending snmp gets across the network? from the packet capture what OID was it trying to query?

mikedavi1 Tue, 10/24/2006 - 19:18
User Badges:

I've seen printer dricer software like this before. I don't remember the brand - it was some years ago (circa 1998.) It was used to print to a networked copier/printer/fax.


Basic operation for the printer driver went something like:


1) Listen for RIP updates to gather subnet information.


2) Send broadcast and directed broadcast snmpgets to each subnet, using a proprietary OID that only the printer could respond to with a valid value.


3) Having received valid response(s), commence connection with printer(s).


However, the traffic generated by that old driver was no where near 25kpps.


Seems there are a few issues here:


A) Why does a printer driver send 25kpps snmpgets?

B) Where/how is it sending them? ie multicast, unicast, sequentially by IP, etc?


C) Which might lead us to the most important question - how can a single PC kill your network?



Carl, can you disclose the driver information and OID(s)? Or perhaps a packet capture where you see the 25k packets/sec?


In the meantime, I'd apply an access-list to your snmp-server community config on your switches and routers so that they will reject all snmp gets from non-authorized hosts. My first guess is that cpu utilization on network devices is reaching critical levels due to either excessive snmp lookups or multicast traffic.



-Michael


carl_townshend Wed, 10/25/2006 - 01:38
User Badges:

Hi there, thanks for your response, we may of sorted the problem now by removing the printer from the pc and installing it on the print server, we have done this on the wireless pc's and not it seems all ok


thanks

Actions

This Discussion