Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unusual UDP broadcast traffic from Cisco Router

We have a Juniper Firewall with the following:

Eth0/1 Trust (LAN) -

Eth1/0 DMZ -

Eth1/1 DMZ2 -

There is a Cisco Router on

We are seeing lot of IP Spoofing Traffic on the Juniper Firewall. On Investigation, we find that there is Broadcast traffic from, 3 & 4 to on ports 137 & 138. This occurs in random sequence, but at regular intervals. However, the reason why it is IP Spoofing, because this traffic is generated from the trust zone (i.e. side. When we did a packet trace, we found that the MAC on the Source IPs ( was that of the Cisco Router. Cisco Router is connecting the Branch office ( to HO. Cisco Router has static routes of & to allow BO PCs to access Servers in the DMZs. We need to further investigate and find the source of this Broadcast traffic. My query is, as I am not too familiar with the debug commands on the Cisco Router, how do I capture packets on Cisco Router, filtered on Source or Destination IP/Port. Also need further help in resolving the issue. Thanks in advance for any help.

Cisco Employee

Re: Unusual UDP broadcast traffic from Cisco Router


137&138 ports are used to transport Netbios over IP. is what we call a directed broadcast and are filtered by default since 12.0:

You can verify if directed broadcast is enabled or not with the show ip interface:

Router# show ip interface g 0/3

GigabitEthernet0/3 is up, line protocol is up

Internet address is

Broadcast address is

Address determined by setup command

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled


It will not help you to identify which machine is generating this traffic but it will help to explain why the router is forwarding it.

If you have only one site behind the router, you should sniff the traffic on the LAN of this site directly. If there is a WAN connection used by this site to join the HO, capturing the traffic on the router will not help to identify the hosts.



New Member

Re: Unusual UDP broadcast traffic from Cisco Router

Thanks Laurent. I have disabled IP Directed Broadcast on the Router Interface facing the Firewall. Still I see the broadcast traffic on the firewall. The idea to look at the traffic inside the router was to confirm that the origin of the traffic was indeed from the BO. Moreover, it was to broaden the understanding of how the internals of the router function. The Router in question is Cisco 1721 and IOS 12.4(1c).


Re: Unusual UDP broadcast traffic from Cisco Router

AS a quick note, remember that the MAC of all traffic originating from that interface of that router will bear that interface's MAC address, regardless of the source IP address.

In order to track it back, you need to follow the source IP, and go interface-to-interface on the MAC (a show ip arp will give you an address-to-MAC map).

Every span will change the MAC to the source interface's MAC, but the source IP should be the same (although if it is an attack, it can be manipulated).

Good Luck

New Member

Re: Unusual UDP broadcast traffic from Cisco Router

Thanks Scott. That the Cisco Router is not the originator of the spoofing traffic, is understood. However, I would like to peek into the traffic on the router, to trace the track of the traffic. What is unusual is that the source IP 172.30.x.x should not be seen from this zone. I just need to ascertain from the router, whether the traffic originates form the 192.100.100.x network or 192.168.1.x. Guess I need to capture traffic on the LAN segment to do that. I was hoping the Cisco Router would present me an easier way to find out.

Cisco Employee

Re: Unusual UDP broadcast traffic from Cisco Router


You can capture transit packets on the router but it has serious performance impact as you first need to fallback to process switching so it's at your own risk.


CreatePlease to create content