Solved

SAP General Response Packets

Posted on 1998-12-15
3
311 Views
Last Modified: 2006-11-17
I am seeing SAP General Response packets from machines all over the network.  This is not typical of our network.  Can anyone tell me what may be causing this?
0
Comment
Question by:jerryross
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
brosenb0 earned 100 total points
ID: 1594455
Jerryross,

Without seeing your Sniffer, Lanalyzer or other analyser traces, one may only speculate, however, SAP General Service Response packets or SAP_GSRs are complementary to SAP General Service Query packets or SAP_GSQs.  Thus, SAP_GSRs are responses to SAP_GSQs with SAP_GSQs being a broadcast request.  SAP_GSRs may originate from servers or routers (basically any device that maintains a SAP table), with SAP_GSQs typically originating from workstations.  Because SAP_GSQs are a broadcast request, all devices that can respond that receive the request will attempt to respond, effectively causing a one-way broadcast response storm.  This is one reason why effective SAP filtering MUST be in place.

The best way to filter this is put an access list on each router port that filters the request, thus only allowing the local router port to service the request.

Q.  What causes the transmission of SAP_GSQ and hence SAP_GSR packets?

A.  One common cause of the transmission of SAP_GSQ packets is due to a workstation that does not receive a response to a SAP_GNS or Get Nearest Server request when the NetWare client first connects to the network.  When a workstation does not receive a request to a SAP_GNS request (also a broadcast) it sends a SAP_GSQ in an attempt to find a file server.

Q.  Why would SAP_GNS requests suddenly be receiving no response?

A.  Two main reasons,

1.  A file server that did reside  on the workstation's local segment has since been disabled or moved and SAP_GNS ACLs were already in place on the local router port, effectively prohibiting other servers on other segments from responding.

2.  A SAP_GNS ACL has recently been installed on the local router port and no server did reside on the workstation's local segment.
 
Q.  What other reasons are there for a device to send a SAP_GSQ?

A.  There are many applications that rely on SAP_GSQs to locate their services on the network.  RPrinter, NPrinter (non logged into NDS mode), ARCserve Manager, RConsole, Gupta SQLBase, Pervasive SQL, Oracle for NetWare.......   Thus, the addition of a new application may be the cause of the sudden increase.

Q.  How can you determine which device is sending the SAP_GSQs?

A.  You can filter for the SAP_GSQs with your analyser to see if any particular device is sending all the requests and you can look at the SAP_GSRs and examine the destination network, destination node to determine if all responses are being sent to a particular node.   Make sure you use an analyser such as the Sniffer or Lanalyser that can understand and decode from NCP to IPX to MAC level.  Offerings such as NetXRay do not truly understand the NetWare protocols and won't be much help.

I suggest you obtain a copy of the SAPMON utility which will allow you to monitor and analyse SAP traffic on your network.  http://www.net-utils.com/utils/sapmn12.exe
 
0
 

Author Comment

by:jerryross
ID: 1594456
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0
 

Author Comment

by:jerryross
ID: 1594457
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
If you need a simple but flexible process for maintaining an audit trail of who created, edited, or deleted data from a table, or multiple tables, and you can do all of your work from within a form, this simple Audit Log will work for you.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question