I am troubleshooting a PC that is flooding our switch with directed broadcasts. I think I have cover everything but since it is still happening obviously I have not. Can you tell me why a PC would send out directed broadcasts? in other words what is the purpose of them? The PC's IP address is set to 10.66.6.40 /24 and it is flooding broadcasts to 10.66.6.255, what can it be trying to do?
Nothing reasonable comes to my mind, and it's even more strange that its using a directed broadcast to the local subnet instead of a general broadcast. You may need to find the host application that's generating these packets and then have a discussion with the vendor of the app.
Yeah, I thought the same thing. That is why I wanted to find out what is the purpose of a IP directed broadcast? What is the PC that is sending it trying to accomplish?
The purpose of a direct broadcast, is similar to a local broadcast, i.e. send to all hosts on the subnet, but since it's directed it can be sent to a subnet other than the connected subnet.
host 192.168.1.5(/24)can broadcast to all hosts on 192.168.2.0/24.
That I did know. What I was hoping to find out is what is the PC trying to accomplish sending out the directed broadcast? It is not DHCP because it has a static IP address.
From your original post:"The PC's IP address is set to 10.66.6.40 /24 and it is flooding broadcasts to 10.66.6.255". So it is really a packet to the local broadcast - and I am not sure that really counts as a "directed broadcast". It is pretty common behavior to broadcast onto the local subnet, especially for Windows/NetBIOS functions. Would the port numbers be any of the common Windows service ports (137, 139, etc)?
So it is really a packet to the local broadcast - and I am not sure that really counts as a "directed broadcast".
Rick, interesting observation! Technically, I believe you're correct for this particular example since broadcast's destination network is the same as the local network. In RFC919 "directed broadcasting" assumes the broadcast packet is routed. In the same RFC, this would be considered a "local broadcast", as would using 255.255.255.255 (also known as "limited broadcast" although not defined by such term in the RFC.)
Where terminology seems it might break down a little if the PC at 10.66.6.40 /24 sent to 10.66.255.255. Technically, this would be a "directed broadcast", but the local subnet should behave as if the broadcast was directed to 10.66.6.255 (or 255.255.255.255). I.e. router shouldn't be needed.
You also make a good point if the PC is running Windows and using NetBIOS. I don't recall what it uses for broadcasts at the IP level, but usually the Windows clients that run NetBIOS on top of TCP use WINS or DNS for address resolution and should do minimal broadcasts. However, this assumes WINS or DNS is available and that the client isn't running in the mode ("B"?) where it tries NetBIOS broadcasts first. (I also recall the default[?] mode ["H"?] tries WINS/DNS first, and there might also be a mode to restrict NetBIOS broadcasts ["M"?]. These modes might also require the host obtain its address from DHCP.)
Mike, just reallly noticed this "It is not DHCP because it has a static IP address. " in one your follow up posts. Again, have vague memory that Windows hosts might behave a bit differently by default whether static or DHCP clients. If it is a Windows client, you might search the Microsoft KB for information about client address resolution modes.
Actually now that you point that out I did mis-word it. I just saw the 10.66.6.255 and got that in my head.
I thought DHCP but I have that PC set with a static IP address.
The reason I am trying to find out what may send those broadcasts is it is continourly send them (flooding) the switch and it overwhelmed the CPU on our core switch. I have one person telling me it is a layer 2 issue and another telling me it is layer 3. I am going to put wireshark on the PC and see what I can. I was trying to get my head around what else would be sending out these broadcasts other than DHCP?
Let me give the layout of how this is setup.
I have a PC running VMWare and it has two NIC's and we use it to build VM's in two different subnets, 10.66.6.X /24 and 10.10.104.X /24. I have a little Linksys switch (SLM2008) that is setup with Ports 2 thru 5 in VLAN 104 (10.10.104.X) and ports 6 thru 8 in VLAN 606 (10.66.6.X) and Port 1 is trunked to a Cisco Catalyst 4506 switch which connects via trunk to our core 6509 switches which is the VTP server. The NIC in the 10.66.6.x network has a static IP address and the NIC in the 10.10.104.X network is DHCP. Where the issues was with the CPU running at 90% was with VLAN606, it was flooding the switch and was overflowing the buffer. I unpluged that NIC and it went away. This is not happening with the other NIC on the same PC.
My original assumption was that it was a Windows PC, and my experience is that a Windows PC will frequently generate broadcast messages onto its own subnet, especially when it is attempting to locate some service. Knowing that the PC is running VMWare adds to the possibilities. I still suspect that the PC is attempting to locate some resource or some service and is sending broadcasts because it has not yet found what it is looking for.
Wireshark on the PC would be a good way to investigate. Or configuring an access list on the layer 3 interface for that VLAN identifying the broadcasts (use permit or deny as you wish) and using the log parameter to generate log messages might be the easy way to see what kind of traffic (what port number) is involved.