Security Incidents mailing list archives

Re: Ether Broadcast

From: Jeff <jeff () TCNET ORG>
Date: Tue, 19 Dec 2000 15:10:27 -0500

Shawn-

In regards to the ethernet broadcast traffic you've been seeing...

Microsoft owns the Ethernet protocol type 88-6f (hex). See
<URI:http://standards.ieee.org/regauth/ethertype/type-pub.html>.

It sounds like a Windows 2000 cluster doing Network Load Balancing.

Ethernet protocol type and bandwidth utilization seems to match the
following description:

``In unicast mode, each cluster host periodically broadcasts heartbeat
messages, and in multicast mode, it multicasts these messages. Each
heartbeat message occupies one Ethernet frame and is tagged with the
cluster's primary IP address so that multiple clusters can reside on the
same subnet. Network Load Balancing's heartbeat messages are assigned an
ether type-value of hexadecimal 886F. The default period between sending
heartbeats is one second, and this value can be adjusted with the
AliveMsgPeriod registry parameter.  During convergence, the exchange
period is reduced by half in order to expedite completion. Even for large
clusters, the bandwidth required for heartbeat messages is very low (for
example, 24 Kbytes/second for a 16-way cluster).''

<URI:http://www.microsoft.com/TechNet/win2000/nlbovw.asp>

With a proper decode of the packet data, you should find the cluster's
primary IP address.

Enjoy, and thanks for the hunt. :)

-jeff

--
Jeff Godin
Network Specialist
Traverse Area District Library / Traverse Community Network
jeff () tcnet org

Current thread:

Ether Broadcast Guins, Shawn (US - Dallas) (Dec 19)
- Re: Ether Broadcast Ryan Russell (Dec 19)
- Re: Ether Broadcast Blair Strang (Dec 19)
- <Possible follow-ups>
- Re: Ether Broadcast Jeff (Dec 19)