Lots of multicast traffic from server

Posted on 2016-09-20
Last Modified: 2016-09-21
We have a windows server 2008 that runs a student information database.  Wire shark shows almost 100 packets a second going to a multicast address  Any idea what this might be?  I am not great with networking so pardon my ignorance of the issue.
Question by:Roccat
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
LVL 28

Accepted Solution

Bill Bach earned 250 total points
ID: 41806973
Can you post a sample of the data itself?  Perhaps there is something inside there which will indicate its origin.  Also, is it going out through a specific port, either TCP or UDP?  You can use "NETSTAT -a -b" from an administrative command line to see which application is using that port.  If that doesn't help, then the SysInternals product ProcMon ( will be able to show you which process is transmitting the messages.

Author Comment

ID: 41807073
Port 150 UDP

Author Comment

ID: 41807133
5478      64.496129      0      150 → 150  Len=583      UDP      00:50:56:ac:57:8a      00:50:56:ac:57:8a      625

This is the packet summary that is reoccurring about 100 times a second.
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Assisted Solution

awed1 earned 125 total points
ID: 41807243
This could have to do with Net BIOS Is it disabled throughout?
Check if the computer with the .238 address has it enabled.

Author Comment

ID: 41807299
The tomcat 6 process is using 26 gb of ram right now.
Netbios is not disabled
LVL 28

Expert Comment

by:Bill Bach
ID: 41807332
Did a quick web search, and found this scary reference:

Port(s)       Protocol       Service       Details       Source
150       tcp,udp       sql-net       Denial of service of Ascend routers through port 150 (remote administration).
References: [CVE-1999-0221]
SQL-NET (IANA official)

Is it possible that the server is infected?  Were you able to see the process name via ProcMon?

Expert Comment

ID: 41807339
So you are using NetBIOS with the Tomcat?
The UDP Port 150 is commonly used by NetBIOS
If you need it, then leave it running, but if not, the problem might disappear once it is disabled.

Expert Comment

ID: 41807380
Maybe the cluster configuration in the Tomcat is not set properly.
It normally is set to a frequency of 500MS maybe it is somehow set to 5 or something like that.
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 125 total points
ID: 41807880 is an unassigned multicast address.  It has nothing to do with UDP port 150 though.

Can you post a wireshark log?

Author Comment

ID: 41808952
Multiple reoccurring scheduled tasks that were failing were putting sending out all the traffic.  Not sure what they are broadcasting but it has calmed down for now.  Thank you for the help.

Author Closing Comment

ID: 41808954
Thank you!

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question