?
Solved

SAP General Response Packets

Posted on 1998-12-15
3
Medium Priority
?
314 Views
Last Modified: 2006-11-17
I am seeing SAP General Response packets from machines all over the network.  This is not typical of our network.  Can anyone tell me what may be causing this?
0
Comment
Question by:jerryross
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
brosenb0 earned 400 total points
ID: 1594455
Jerryross,

Without seeing your Sniffer, Lanalyzer or other analyser traces, one may only speculate, however, SAP General Service Response packets or SAP_GSRs are complementary to SAP General Service Query packets or SAP_GSQs.  Thus, SAP_GSRs are responses to SAP_GSQs with SAP_GSQs being a broadcast request.  SAP_GSRs may originate from servers or routers (basically any device that maintains a SAP table), with SAP_GSQs typically originating from workstations.  Because SAP_GSQs are a broadcast request, all devices that can respond that receive the request will attempt to respond, effectively causing a one-way broadcast response storm.  This is one reason why effective SAP filtering MUST be in place.

The best way to filter this is put an access list on each router port that filters the request, thus only allowing the local router port to service the request.

Q.  What causes the transmission of SAP_GSQ and hence SAP_GSR packets?

A.  One common cause of the transmission of SAP_GSQ packets is due to a workstation that does not receive a response to a SAP_GNS or Get Nearest Server request when the NetWare client first connects to the network.  When a workstation does not receive a request to a SAP_GNS request (also a broadcast) it sends a SAP_GSQ in an attempt to find a file server.

Q.  Why would SAP_GNS requests suddenly be receiving no response?

A.  Two main reasons,

1.  A file server that did reside  on the workstation's local segment has since been disabled or moved and SAP_GNS ACLs were already in place on the local router port, effectively prohibiting other servers on other segments from responding.

2.  A SAP_GNS ACL has recently been installed on the local router port and no server did reside on the workstation's local segment.
 
Q.  What other reasons are there for a device to send a SAP_GSQ?

A.  There are many applications that rely on SAP_GSQs to locate their services on the network.  RPrinter, NPrinter (non logged into NDS mode), ARCserve Manager, RConsole, Gupta SQLBase, Pervasive SQL, Oracle for NetWare.......   Thus, the addition of a new application may be the cause of the sudden increase.

Q.  How can you determine which device is sending the SAP_GSQs?

A.  You can filter for the SAP_GSQs with your analyser to see if any particular device is sending all the requests and you can look at the SAP_GSRs and examine the destination network, destination node to determine if all responses are being sent to a particular node.   Make sure you use an analyser such as the Sniffer or Lanalyser that can understand and decode from NCP to IPX to MAC level.  Offerings such as NetXRay do not truly understand the NetWare protocols and won't be much help.

I suggest you obtain a copy of the SAPMON utility which will allow you to monitor and analyse SAP traffic on your network.  http://www.net-utils.com/utils/sapmn12.exe
 
0
 

Author Comment

by:jerryross
ID: 1594456
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0
 

Author Comment

by:jerryross
ID: 1594457
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question