Solved

Lots of multicast traffic from server

Posted on 2016-09-20
11
42 Views
Last Modified: 2016-09-21
We have a windows server 2008 that runs a student information database.  Wire shark shows almost 100 packets a second going to a multicast address 224.0.0.150.  Any idea what this might be?  I am not great with networking so pardon my ignorance of the issue.
0
Comment
Question by:Roccat
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 250 total points
ID: 41806973
Can you post a sample of the data itself?  Perhaps there is something inside there which will indicate its origin.  Also, is it going out through a specific port, either TCP or UDP?  You can use "NETSTAT -a -b" from an administrative command line to see which application is using that port.  If that doesn't help, then the SysInternals product ProcMon (www.sysinternals.com) will be able to show you which process is transmitting the messages.
0
 

Author Comment

by:Roccat
ID: 41807073
Port 150 UDP
0
 

Author Comment

by:Roccat
ID: 41807133
5478      64.496129      192.25.205.238      0      224.0.0.150      150 → 150  Len=583      UDP      00:50:56:ac:57:8a      00:50:56:ac:57:8a      192.25.205.238      625

This is the packet summary that is reoccurring about 100 times a second.
0
 
LVL 3

Assisted Solution

by:awed1
awed1 earned 125 total points
ID: 41807243
This could have to do with Net BIOS Is it disabled throughout?
Check if the computer with the .238 address has it enabled.
0
 

Author Comment

by:Roccat
ID: 41807299
The tomcat 6 process is using 26 gb of ram right now.
Netbios is not disabled
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 28

Expert Comment

by:Bill Bach
ID: 41807332
Did a quick web search, and found this scary reference:

Port(s)       Protocol       Service       Details       Source
150       tcp,udp       sql-net       Denial of service of Ascend routers through port 150 (remote administration).
References: [CVE-1999-0221]
SQL-NET (IANA official)

Is it possible that the server is infected?  Were you able to see the process name via ProcMon?
0
 
LVL 3

Expert Comment

by:awed1
ID: 41807339
So you are using NetBIOS with the Tomcat?
The UDP Port 150 is commonly used by NetBIOS
If you need it, then leave it running, but if not, the problem might disappear once it is disabled.
0
 
LVL 3

Expert Comment

by:awed1
ID: 41807380
Maybe the cluster configuration in the Tomcat is not set properly.
It normally is set to a frequency of 500MS maybe it is somehow set to 5 or something like that.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 41807880
224.0.0.150 is an unassigned multicast address.  It has nothing to do with UDP port 150 though.

Can you post a wireshark log?
0
 

Author Comment

by:Roccat
ID: 41808952
Multiple reoccurring scheduled tasks that were failing were putting sending out all the traffic.  Not sure what they are broadcasting but it has calmed down for now.  Thank you for the help.
0
 

Author Closing Comment

by:Roccat
ID: 41808954
Thank you!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now