Solved

SAP General Response Packets

Posted on 1998-12-15
3
280 Views
Last Modified: 2006-11-17
I am seeing SAP General Response packets from machines all over the network.  This is not typical of our network.  Can anyone tell me what may be causing this?
0
Comment
Question by:jerryross
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
brosenb0 earned 100 total points
ID: 1594455
Jerryross,

Without seeing your Sniffer, Lanalyzer or other analyser traces, one may only speculate, however, SAP General Service Response packets or SAP_GSRs are complementary to SAP General Service Query packets or SAP_GSQs.  Thus, SAP_GSRs are responses to SAP_GSQs with SAP_GSQs being a broadcast request.  SAP_GSRs may originate from servers or routers (basically any device that maintains a SAP table), with SAP_GSQs typically originating from workstations.  Because SAP_GSQs are a broadcast request, all devices that can respond that receive the request will attempt to respond, effectively causing a one-way broadcast response storm.  This is one reason why effective SAP filtering MUST be in place.

The best way to filter this is put an access list on each router port that filters the request, thus only allowing the local router port to service the request.

Q.  What causes the transmission of SAP_GSQ and hence SAP_GSR packets?

A.  One common cause of the transmission of SAP_GSQ packets is due to a workstation that does not receive a response to a SAP_GNS or Get Nearest Server request when the NetWare client first connects to the network.  When a workstation does not receive a request to a SAP_GNS request (also a broadcast) it sends a SAP_GSQ in an attempt to find a file server.

Q.  Why would SAP_GNS requests suddenly be receiving no response?

A.  Two main reasons,

1.  A file server that did reside  on the workstation's local segment has since been disabled or moved and SAP_GNS ACLs were already in place on the local router port, effectively prohibiting other servers on other segments from responding.

2.  A SAP_GNS ACL has recently been installed on the local router port and no server did reside on the workstation's local segment.
 
Q.  What other reasons are there for a device to send a SAP_GSQ?

A.  There are many applications that rely on SAP_GSQs to locate their services on the network.  RPrinter, NPrinter (non logged into NDS mode), ARCserve Manager, RConsole, Gupta SQLBase, Pervasive SQL, Oracle for NetWare.......   Thus, the addition of a new application may be the cause of the sudden increase.

Q.  How can you determine which device is sending the SAP_GSQs?

A.  You can filter for the SAP_GSQs with your analyser to see if any particular device is sending all the requests and you can look at the SAP_GSRs and examine the destination network, destination node to determine if all responses are being sent to a particular node.   Make sure you use an analyser such as the Sniffer or Lanalyser that can understand and decode from NCP to IPX to MAC level.  Offerings such as NetXRay do not truly understand the NetWare protocols and won't be much help.

I suggest you obtain a copy of the SAPMON utility which will allow you to monitor and analyse SAP traffic on your network.  http://www.net-utils.com/utils/sapmn12.exe
 
0
 

Author Comment

by:jerryross
ID: 1594456
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0
 

Author Comment

by:jerryross
ID: 1594457
Thank you!  Our sniffer is LANWatch.  I had been using that to look at the SAP packets.  We had also been guessing that the GSQ was causing the GSR packets.  We traced one of the machines that was generating the GNS packets.  It was waiting at the windows login prompt.  According to the information you have given us, this makes sense.  Thank you very much for the detailed response.  With this new information we should be able to solve our problems :)
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
open cdrom on netware 3.12 4 588
Deleting folders in on a Novell share and now no one can access drives 5 1,130
netware 5.1 license keys 15 1,475
search drive 4 231
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question