[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Can UDP traffic degrade network performance?

Posted on 2006-05-24
13
Medium Priority
?
1,068 Views
Last Modified: 2012-05-05
I run a network with a single domain and 80 workstations. I was looking at our Watchguard Firebox 700 log files today and noticed that there is a lot of UDP traffic being generated by my workstations. Details are as follows:

Source: myworkstation
Destination 10.255.255.255
Port: 138
Direction: Out
Details UDP

I have a hunch it may be caused by our subnet mask. Our IP address range is 10.10.0.x with a subnet mask of 255.0.0.0. When I manually assigned a workstation a subnet mask of 255.255.255.0 it stopped generating the traffic.

Can anybody confirm whether my assumption is correct? And is this traffic harmless or can it degrade my network performance?
0
Comment
Question by:metamatic
  • 4
  • 3
  • 2
  • +4
13 Comments
 
LVL 9

Accepted Solution

by:
kfullarton earned 1200 total points
ID: 16753056
The traffic you're seeing is netbios, and it's still there but you're not seeing it due to your subnet mask.  It's now being limited to the 10.10.0.x subnet.  You would see it if you were running a sniffer on the local network as UDP broadcasts are not forwarded across subnets unless specifically configured to do so.  It's not likely to degrade your performance; it's just Windows being chatty.
0
 
LVL 12

Assisted Solution

by:Craig_200X
Craig_200X earned 200 total points
ID: 16753145
the only relation is the amount of hosts that will receive the udp protocol is reduced by your subnet mask.. it is a MORE specific subnet mask. It wont STOP udp traffic. That sounds just like a coincidence to me.

as far as the network performance... any TYPE of packet... in large quantities will affect your performance..
0
 
LVL 3

Assisted Solution

by:hfern
hfern earned 200 total points
ID: 16753834
Port 138 is used for NETBIOS broadcasts, it's used for building up the network neighborhood lists.. See here for more details: http://www.windowsitlibrary.com/Content/386/10/2.html
Basically you have 80 PCs telling each other at what IP address they are.. This should not be really causing congestion on your network. If you limit the subnet mask to 255.255.255.0 then only the PCs in the same limited subnet will receive these broadcasts. For example in a 10.x.x.x network with a subnet mask of 255.0.0.0 a broadcast will be received by any PC in the following address range: 10.(0 till 255).(0 till 255).(1 till 254). Still, in you network it's just 80 PCs.
If you limit the netmask to 255.255.255.0 then if a PC has an IP address of 10.1.1.1 then it will only receive the broadcasts of PC with IP addresses in the range of 10.1.1.(2 till 254).

If a PC receives such a broadcast then it needs to update some tables in order to maintain the network neighborhood list. The network traffic and the amount of work is the same as when you would move all 80 PCs in the same 255.255.255.0 subnet.

You can review if you have congestion by opening up a taks manager and look to the network tab. If you see more then 30 or 40% network traffic then you may have congestion. You can also look at your router and see if there are any error counters.

Hope this helps.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 12

Expert Comment

by:Craig_200X
ID: 16753951
BTW : the task manager network viewer doesnt show your entire NETWORK congestion level.. it only shows that machines network card data transfer statistics.

you want to use a network management tool/sw to accurately see congestion.
0
 
LVL 3

Expert Comment

by:hfern
ID: 16753994
> The task manager network viewer doesnt show your entire NETWORK congestion level.
This is true, thanks for pointing that out. Yet, if Metamagic's concern is broadcast traffic then he may get an idea about this anyway.
0
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 200 total points
ID: 16755698
To get back to the main question, the traffic is just normal Windows broadcast traffic. A broadcast will be sent to the broadcast address on your network, which is based on the subnet mask. With the new subnet mask it should be sending the same broadcast traffic out to 10.10.0.255. But no one else will be listening because it's not a broadcast address to them since their masks didn't change.

It won't degrade your network performance. If you find a way to block it, you'll be unable to perform a lot of the functions, like network neighborhood, that your users take for granted.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16758106
If you are using a SINGLE class C network, like 10.10.10.x , then the mask you SHOULD be using is  255.255.255.0.

The reason is, if you use 0 for the C and B addresses, the number if broadcasts is multiplied 256 x 256 x 256 -- and that is a lot of extraneous broadcasts you do NOT need.  so yes, it can impair your network performance, figure 80 X 256 X 256 extra broadcasts on netbios, and that makes a helluva lot. Keep the netmask to  255.255.255.0, unless you are running different class C domains, like x.x.1.x and x.x.2.x -- then use  255.255.0.0.  Hope that makes sense to you.
0
 
LVL 12

Expert Comment

by:Craig_200X
ID: 16758137
Scrathcyboy,

are you actually saying there are millions of broadcasts that will occur IF someone uses a 255.0.0.0 subnet mask?

It doesnt actually work that way. You should check the info on that.

:)



0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 200 total points
ID: 16758176
Craig,

We just all have to bear with scrathcyboy - IMO, he is obviously still in the process of learning some core concepts...

Obviously, your subnet mask has little to do with the number of broadcasts, other than that a larger mask allows for more hosts, which may lead to more broadcasts, if those hosts actually exist.  Since widening the mask does not magically populate the network with additional hosts, asserting that a wider mask automatically means more broadcasts is indeed ridiculous.

>I was looking at our Watchguard Firebox 700 log files today and noticed that there is a lot of UDP traffic being
>generated by my workstations

Please define "a lot of...traffic" in terms of percentage of average traffic, and percentage of available bandwidth.

Cheers,
-Jon
0
 
LVL 12

Expert Comment

by:Craig_200X
ID: 16761942
Your right Captain..... must try to remember ....  I am still learning myself..  
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16764114
> I am still learning myself..

We all are, since no one is omniscient ;-)

Some folks are just farther along (probably because we [or at least I] am fast becoming a geezer)...

Cheers,
-Jon

0
 

Author Comment

by:metamatic
ID: 16768361
Cheers guys. i have a performance issue on my network but through other means have found out the UDP packets are not the cause so i do not need to take this any further.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16772690
>>Please define "a lot of...traffic" in terms of percentage of average traffic, and percentage of available bandwidth.

>have a performance issue on my network but through other means have found out the UDP packets are not the cause

Indeed.

Cheers,
-Jon
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question