Solved

SAP General Response Packets

Posted on 1998-12-15
3
259 Views
Last Modified: 2006-11-17
I am seeing SAP General Response packets from machines all over the network.  This is not typical of our network.  Can anyone tell me what may be causing this?
0
Comment
Question by:jerryross
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
brosenb0 earned 100 total points
ID: 1594455
Jerryross,

Without seeing your Sniffer, Lanalyzer or other analyser traces, one may only speculate, however, SAP General Service Response packets or SAP_GSRs are complementary to SAP General Service Query packets or SAP_GSQs.  Thus, SAP_GSRs are responses to SAP_GSQs with SAP_GSQs being a broadcast request.  SAP_GSRs may originate from servers or routers (basically any device that maintains a SAP table), with SAP_GSQs typically originating from workstations.  Because SAP_GSQs are a broadcast request, all devices that can respond that receive the request will attempt to respond, effectively causing a one-way broadcast response storm.  This is one reason why effective SAP filtering MUST be in place.

The best way to filter this is put an access list on each router port that filters the request, thus only allowing the local router port to service the request.

Q.  What causes the transmission of SAP_GSQ and hence SAP_GSR packets?

A.  One common cause of the transmission of SAP_GSQ packets is due to a workstation that does not receive a response to a SAP_GNS or Get Nearest Server request when the NetWare client first connects to the network.  When a workstation does not receive a request to a SAP_GNS request (also a broadcast) it sends a SAP_GSQ in an attempt to find a file server.

Q.  Why would SAP_GNS requests suddenly be receiving no response?

A.  Two main reasons,

1.  A file server that did reside  on the workstation's local segment has since been disabled or moved and SAP_GNS ACLs were already in place on the local router port, effectively prohibiting other servers on other segments from responding.

2.  A SAP_GNS ACL has recently been installed on the local router port and no server did reside on the workstation's local segment.
 
Q.  What other reasons are there for a device to send a SAP_GSQ?

A.  There are many applications that rely on SAP_GSQs to locate their services on the network.  RPrinter, NPrinter (non logged into NDS mode), ARCserve Manager, RConsole, Gupta SQLBase, Pervasive SQL, Oracle for NetWare.......   Thus, the addition of a new application may be the cause of the sudden increase.

Q.  How can you determine which device is sending the SAP_GSQs?

A.  You can filter for the SAP_GSQs with your analyser to see if any particular device is sending all the requests and you can look at the SAP_GSRs and examine the destination network, destination node to determine if all responses are being sent to a particular node.   Make sure you use an analyser such as the Sniffer or Lanalyser that can understand and decode from NCP to IPX to MAC level.  Offerings such as NetXRay do not truly understand the NetWare protocols and won't be much help.

I suggest you obtain a copy of the SAPMON utility which will allow you to monitor and analyse SAP traffic on your network.  http://www.net-utils.com/utils/sapmn12.exe
 
0
 

Author Comment

by:jerryross
ID: 1594456
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0
 

Author Comment

by:jerryross
ID: 1594457
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
We have come a long way with backup and data protection — from backing up to floppies, external drives, CDs, Blu-ray, flash drives, SSD drives, and now to the cloud.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now