M. F. Sprague
asked on
What could be causing an 0x8899 flood?
I have an HP EliteBook 8730w HP machine with XP SP3. The NIC is a 82567LM Gigabit. Wireshark Version 1.6.1 is seeing a flood (packet ea/.001068 seconds +/-) of protocol 0x8899 Ethernet II packets (All outgoing; no responses). Packet length ranges from 64 to about 1499 or 1518 packets long. The problem I have is that I cannot find the Source MAC on my (small home) network (I have tried several MAC scanners), nor do I know anything about the destination address.
Source: f8:c0:01:7c:65:cc
Destination: Dell_79:08:f2 (00:19:b9:79:08:f2)
Type: Unknown (0x8899), Ethernet II
Data (1504 bytes)
5 lines of data:
0010 88 64 11 00 14 ef 05 d6 00 21 45 40 05 d4 ac 25 .d.......!E@...%
0020 20 00 36 11 54 58 47 13 fb f9 61 73 b9 db a0 e1 .6.TXG...as....
0030 c9 be 05 cd 4b 14 32 bb 81 3a 22 b9 5d 95 21 4e ....K.2..:".].!N
0040 6d 27 cb 53 59 65 0b 8d 75 33 cb ab f9 de 7e 52 m'.SYe..u3....~R
0050 32 57 86 24 53 27 ee 64 20 41 72 31 20 11 2a 43 2W.$S'.d Ar1 .*C
.
.
So, I have no such source or destination MAC on my network (that I can tell) , am seeing an ongoing flood of data anytime day/night. To my knowledge, I have no Dell equipment on my network (two printers, 4-5 computers, a couple of Smart phones, and several Security DVRs). Most computers behind one or more switches. I am certain that I have no Realtek routers/switches or anything that might be using a managed protocol i.e. Realtek Remote Control Protocol (RRCP) Type 0x8899.
Source: f8:c0:01:7c:65:cc
Destination: Dell_79:08:f2 (00:19:b9:79:08:f2)
Type: Unknown (0x8899), Ethernet II
Data (1504 bytes)
5 lines of data:
0010 88 64 11 00 14 ef 05 d6 00 21 45 40 05 d4 ac 25 .d.......!E@...%
0020 20 00 36 11 54 58 47 13 fb f9 61 73 b9 db a0 e1 .6.TXG...as....
0030 c9 be 05 cd 4b 14 32 bb 81 3a 22 b9 5d 95 21 4e ....K.2..:".].!N
0040 6d 27 cb 53 59 65 0b 8d 75 33 cb ab f9 de 7e 52 m'.SYe..u3....~R
0050 32 57 86 24 53 27 ee 64 20 41 72 31 20 11 2a 43 2W.$S'.d Ar1 .*C
.
.
So, I have no such source or destination MAC on my network (that I can tell) , am seeing an ongoing flood of data anytime day/night. To my knowledge, I have no Dell equipment on my network (two printers, 4-5 computers, a couple of Smart phones, and several Security DVRs). Most computers behind one or more switches. I am certain that I have no Realtek routers/switches or anything that might be using a managed protocol i.e. Realtek Remote Control Protocol (RRCP) Type 0x8899.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So, what is the make and model of that switch?
ASKER
Thanks for the inquiry, Davis. I think that I am getting a handle on it. After walking the problem back towards the router, disconnecting one Christmas light string of collision domains after another, I saw that essentially it was emanating from the router itself and most probably from the WiFi side of the internal LAN. Unfortunately, when I logged into the router to admin the WiFi and view what is connected via the WiFi, I got into a fistfight with the Router's OS..some kind of corruption prevented me from making a change to WiFi config. Nice, actually; I have hated that router from the day I installed it. My wife, the CFO of the family, owes me big time, so..one each brand new Synology RT2600AC router inbound on 2 day delivery. I'll come back when I get the thing configured/installed/and the WiFi debugged.. Looking through the packets, last night, I got an inkling that there may be a bad wireless Acurite weather module out there. Do not know for sure, but..I WILL find out.
tks agn
mfs
tks agn
mfs
ASKER
Update: New router arrived 8/1 but wont communicate with my ISP.....OhHeavySigh....
but there is some good news; from the LAN side of the new router there is no more 0x8899 flood. Seems that the LAN side of the WiFi just may have been the problem. TBD
but there is some good news; from the LAN side of the new router there is no more 0x8899 flood. Seems that the LAN side of the WiFi just may have been the problem. TBD
If you have a business class connection from the ISP, the WAN side almost always has to be set with a very specific ip address, subnet mask, and gateway ip or it won't work. Check the old routers settings if you can.
The other common flaw happens when the ISP's modem is a router itself and uses the same ip address range as the router (i.e. 192.168.0.xxx). This causes all traffic to loop back on itself; but, changing the new router to a different ip address fixes that.
The other common flaw happens when the ISP's modem is a router itself and uses the same ip address range as the router (i.e. 192.168.0.xxx). This causes all traffic to loop back on itself; but, changing the new router to a different ip address fixes that.
ASKER
Update; although the replacement router came last week, it still will not connect with my WAN provider. Snyology Support is working the issue and I am a few days short of boxing it up UPS style and making the 125 mile round trip in to one of the big box stores for something else. It is hard to remember that the original goal was stemming a flood, when there is a gator under every bridge you build. Color me TBD for the next few days till I get the router up
Did you get this taken care of? I'm being asked to close the question.
ASKER
Ultimately, replacing the router flooding the network is going to be the best solution with a nod to Davis for provoking me to follow the packet storm upstream, albeit the flood was not emanating from a switch. The tech support for the replacement router which would not connect to the PPPoE WAN asked that I perform some diagnostic efforts via SSH, and in attempting that, ultimately, I was overwhelmed (my 'nix skills and test beds are poor at best). I returned the replacement router and ordered a different breed. The original router is still flooding my network, but I hope to eliminate that on getting a replacement router that properly connects to the WAN. I think that the Exchange has been a welcome sounding board and I highly appreciate everybody's efforts. Thank you all. Please close.
You need to close it and award the points, OK?
ASKER
Many thanks to all of the contributors.
ASKER
Thank you, both for your replies and interest. I am very grateful.
I tinkered with the network today (took some useless 'puters offline and reset the Edge) Tonight, I am still seeing 0x8899 packets (~3-4 X/sec) but not at all like the flood I saw yesterday. I took the switch nearest this puter (diag host) off-line (as la Davis above) and the packets stopped.
So, I had mis-read WireShark thinking that the WireShark host was sourcing the packets. I took three days of missed meds and I get it now. Problem is somewhere up wind. Now, I will back up the chain (a switch, a Smart TV, cable box, and then Switch/router) toward the router and see what is out there in the Delta Quadrant that may be dragging the network down. First I may rummage through my box of toys and find that old Hub. heard that it is great for getting around layer two traffic that is being MAC filtered out of the port you are tapping... or so I understood it before I fell asleep in class (again).
Appreciate the feed back. Off to see the Wizard.
mfs