network broadcasts??

[yanksfan]

Hello,
I have a 4 compter home LAN and noticed something interesting. I know a little about tcp-ip, but not much about broadcast addresses, subnets and stuff. Most of the time only two computers are on, a small web server and the family computer.

Anyway, whenever I connect to aim or a new website or whatever, it seems to broadcast something (according to the status leds.) I'm thinking it might be trying a dns lookup on the local server, but I never set that computer up as a dns server and I don't know why it would do that. The family computer dual boots linux and WinME and I think it does that with both.

Just curious to what that is. I don't think this was happening before, it just start recently, like 2 weeks maybe...

-Mike

[nebulus200]

The broadcast address, historically is where the host ID is set to all 1's (although, nowadays, setting the host ID to all 0's will accomplish the same thing). For example, if you had a simple class C, 192.168.1.0 /24, that gives you a netmask of 255.255.255.0, which means the last octect (1111 1111) in binary, is reserved for the host ids. The value of 255 would then be the broadcast, the value of 0 would be the network ID. Lets say in the same example, the netmask was instead 192.168.1.0/28 or 255.255.255.240, that means the host id's would range from 0 - 15, with 0 being the network id, 15 being the broadcast (you would have a 4 bit host id, all 1's in a 4 bit binary number = 15, there are many tutorials on netmask to help you with this if you need it).

Now, as to why the broadcast. The best thing I could recommend is to take the linux box and do a sniff of the packets being broadcast, that will tell you pretty quickly what kind of traffic is being sent and who is sending it. Broadcasts are not that abnormal, they can be anything from an ARP request by your PC (turns names/ip's into MAC's), to mickie soft style netbios requests.

Arp requests would be used by your computer for example for the default gateway. In order to know what the hardware address for the default router (say your default was 192.168.0.254), it would send out an arp request along the lines of whois 192.168.0.254 ARP ?, your default router will see this and respond with its MAC, and then the two can begin communicating on the datalink/physical level.

Microsoft products also like to try to see if other things have netbios names, and will typically send out netbios name requests asking for a boxes particular name (even if it doesn't have one) and this could be a possible source too.

Once again, recommend you sniff the traffic for a little while. If you need help interpreting the results, post what you see here, but sanitize it (no usernames, passwords, or IP's, but please distinguish if the communication is between two different computers).

/nebulus

[slarty]

A certain amount of broadcasts are normal. Firstly, any Windows machine (or a Linux machine pretending to be one using Samba etc) will send out UDP netbios broadcasts from time to time. Having other protocols (such as IPX) enabled increases this.

Secondly, any machine which has any IP traffic at all over ethernet to or from it will be sending out ARP messages from time to time. This is normal and is used to find other machines on the network.

Aside from those two, you shouldn't really see much unless you have other software which uses them. Neither should normally be blocked as it may cause existing stuff on your network to stop working. Neither sends any particularly sensitive information in broadcasts (Netbios sends machine and usernames, but nothing much more), so isn't a particular security hazard. Broadcasts are not normally routed anyway, so they won't go beyond your LAN.

DNS requests are, to the best of my knowledge, never broadcast so you should not see those.

[yanksfan]

thanks, i set up tcpdump on the server, turned it on and it turned out to be just netbios stuff.

[yuna_admirer]

Yes . Tcp/ip need to perform an ARP process in order to know exactly the MAC address of the host . ARP is a broadcast itself , and only be carried out initially . When a MAC-IP relatiionship (one-one) has established , each device has its own ARP cache , and will know the correct MAC address , so it will unicast to the address .
And one more thing , if in a certain period of time , when no traffic are occured , the ARP timer are not reseted , the entry will be time-out and removed from the cache . The ARP process must be taken place again .