broadcast storm

A state in which a message that has been broadcast across a network results in even more responses, and each response results in still more responses in a snowball effect. A severe broadcast storm can block all other network traffic, resulting in a network meltdown. Broadcast storms can usually be prevented by carefully configuring a network to block illegal broadcast messages.

<networking> An broadcast on a network that causes multiple hosts to respond by broadcasting themselves, causing the storm to grow exponentially in severity.

n. [common] An incorrect packet broadcast on a network that causes most hosts to respond all at once, typically with wrong answers that start the process over again. See network meltdown; compare mail storm.







  1. 交换机的定义:交换机是一种基于MAC(网卡的硬件地址)识别,能完成封装转发数据包功能的网络设备。交换机可以“学习”MAC地址,并把其存放在内部地址表中,通过在数据帧的始发者和目标接收者之间建立临时的交换路径,使数据帧直接由源地址到达目的地址。
  2. 集线器的定义:集线器(HUB)属于数据通信系统中的基础设备,它和双绞线等传输介质一样,是一种不需任何软件支持或只需很少管理软件管理的硬件设备。它被广泛应用到各种场合。集线器工作在局域网(LAN)环境,像网卡一样,应用于OSI参考模型第一层,因此又被称为物理层设备。集线器内部采用了电器互联,当维护LAN的环境是逻辑总线或环型结构时,完全可以用集线器建立一个物理上的星型或树型网络结构。在这方面,集线器所起的作用相当于多端口的中继器。其实,集线器实际上就是中继器的一种,其区别仅在于集线器能够提供更多的端口服务,所以集线器又叫多口中继器。



  1. 交换机与集线器的本质区别:用集线器组成的网络称为共享式网络,而用交换机组成的网络称为交换式网络。 共享式以太网存在的主要问题是所有用户共享带宽,每个用户的实际可用带宽随网络用户数的增加而递减。这是因为当信息繁忙时,多个用户可能同时“争用”一个信道,而一个信道在某一时刻只允许一个用户占用,所以大量的用户经常处于监测等待状态,致使信号传输时产生抖动、停滞或失真,严重影响了网络的性能。
  2. 在交换式以太网中,交换机提供给每个用户专用的信息通道,除非两个源端口企图同时将信息发往同一个目的端口,否则多个源端口与目的端口之间可同时进行通信而不会发生冲突。通过实验测得,在多服务器组成的LAN 中,处于半双工模式下的交换式以太网的实际最大传输速度是共享式网络的1.7倍,而工作在全双工状态下的交换式以太网的实际最大传输速度可达到共享式网络的3.8倍。 交换机只是在工作方式上与集线器不同,其他的如连接方式、速度选择等与集线器基本相同,目前的交换机同样从速度上分为10M、100M和1000M几种,所提供的端口数多为8口、16口和24口几种。交换机在局域网中主要用于连接工作站、Hub、服务器或用于分散式主干网。



  1. 网络设备原因:我们经常会有这样一个误区,交换机是点对点转发,不会产生广播风暴。在我们购买网络设置时,购买的交换机,通常是智能型的Hub,却被奸商当做交换机来卖。这样,在网络稍微繁忙的时候,肯定会产生广播风暴了。
  2. 网卡损坏:如果网络机器的网卡损坏,也同样会产生广播风暴。损坏的网卡,不停向交换机发送大量的数据包,产生了大量无用的数据包,产生了广播风暴。由于网卡物理损坏引起的广播风暴,故障比较难排除,由于损坏的网卡一般还能上网,我们一般借用Sniffer局域网管理软件,查看网络数据流量,来判断故障点的位置。
  3. 网络环路:曾经在一次的网络故障排除中,发现一个很可笑的错误,一条双绞线,两端插在同一个交换机的不同端口上,导致了网络性能急骤下降,打开网页都非常困难。这种故障,就是典型的网络环路。网络环路的产生,一般是由于一条物理网络线路的两端,同时接在了一台网络设备中。
  4. 网络病毒:目前,一些比较流行的网络病毒,Funlove、震荡波、RPC等病毒,一旦有机器中毒后,会立即通过网络进行传播。网络病毒的传播,就会损耗大量的网络带宽,引起网络堵塞,引起广播风暴。
  5. 黑客软件的使用:目前,一些上网者,经常利用网络执法官、网络剪刀手等黑客软件,对网吧的内部网络进行攻击,由于这些软件的使用,网络也可能会引起广播风暴。









问:网吧有70多台计算机,网络每天都会瘫痪一到三次。通常情况下,只需将一级交换机的网线全部拔出后再连上,即可恢复正常,而有时则不得不重启一下交换机。把原来的10Mbps的网卡更换为10/100Mbps网卡后,有近一个星期的时间网络没有瘫痪。然而,这几天网络又开始不正常了。集线设备采用16口和24口的10/100Mbps交换机,代理服务器采用Windows 2000的ICS(Windows连接共享)。请问这一现象的原因是什么?






Broadcast Storm Analysis

When encountering a broadcast storm in a network baseline session, analyst can apply a specific technique to isolate the cause of the storm and the possible effect of the broadcast event on the internetwork.

A broadcast storm is a sequence of broadcast operations from a specific device or group of devices that occurs at a rapid frame-per-second rate that could cause network problems.

Network architecture, topology design, and layout configurations determine the network's tolerance level as it relates to frame-per-second broadcasts.

Consider, for example, a frame-per-second rate related to a broadcast storm generation of a specific protocol (Address Resolution Protocol [ARP], for example). Such generation, at more than 500 frames per second and on a continuing basis, is considered an abnormal protocol-sequencing event and can be extremely problematic.

The key here is to understand the difference between a normal broadcast event and an actual broadcast storm. When a normal broadcast event occurs, the broadcast is engaged from a specific physical device on a network for the express purpose of achieving a network communication cycle. There are conditions when a device, such as a router, broadcasts information to update other routers on the network to ensure that routing tables are maintained as consecutive and consistent related to internal route table information. Another standard broadcast event is when a device attempts to locate another device and requires the physical address or IP address of another device.

When a specific workstation device has a default gateway assigned, a "normal" broadcast event can occur. The device knows, for example, the target IP address of a device on the internetwork. It is common for this device to broadcast an ARP sequence to attempt to locate the target hardware address. ARP broadcasting is discussed in detail later in this book.

A workstation that broadcasts an ARP sequence to locate a target server but doesn't establish a broadcast resolve and doesn't receive a target hardware address for the server provides an example of an "abnormal" broadcast event. If the target device fails or the source broadcast operation mechanism or protocol-sequencing mechanism of the device fails, the source workstation device could start performing a loop ARP sequence that could be interpreted as a broadcast storm. Such an event in itself could cause a broadcast storm.


Broadcast storm analysis.

The point to be made here is that the frame-per-second rate of the broadcast sequence and the frequency of the broadcast sequence event occurrence can constitute an abnormal event.

Another example can be found in a Novell environment, when the Service Advertising Protocol (SAP) sequencing is engaged by specific servers. If the servers are broadcasting an SAP on standard NetWare sequence timing, the occurrence may take place on 60-second intervals. If there are hundreds or thousands of servers, the SAP sequence packets generated may become highly cumulative and affect areas of the enterprise internetwork that are not utilizing Novell processes.

In large internetworks, many of these concerns are addressed through protocol filtering within routers and switches in the network Layer 3 routing design. When a problem does occur because of an anomaly or possible misconfiguration of an internetwork, it is important to capture the information upon occurrence.

By applying an exact technique with a protocol analyzer, an analyst can very quickly capture a broadcast storm and identify the cause of the broadcast storm and develop a method to resolve the storm. Many different tools enable an analyst to achieve this. Almost all management systems for internetwork hubs, routers, and switches facilitate broadcast storm identification. The threshold that determines what is an actual broadcast occurrence versus an actual broadcast storm is usually set by the network manager or the configuring analyst of the network management platform.

The following discussion details the use of a protocol analyzer for broadcast storm analysis. When performing a data-analysis capture, a protocol analyzer is a useful tool for capturing a broadcast storm. Many protocol analyzers have thresholds that allow for an artificial intelligent–based Expert system to identify a broadcast storm. A storm can be identified by preconfiguring and studying a trigger or threshold for determining what would constitute a storm occurrence. When performing a network baseline, an analyst should always engage the threshold setting on the protocol analyzer prior to a baseline session.

Using a Protocol Analyzer for a Broadcast Storm

Based on the network architecture, the protocols, and the node count on a site being studied, an analyst must determine what constitutes a broadcast storm. This requires the analyst to be quite familiar with the topology and types of protocols and applications being deployed. A general benchmark is that a broadcast sequence occurring from a single device or a group of devices, either rapidly or on an intermittent cycle at more than 500 frames per second, is a storm event. At the very least, the sequence should be investigated if it is occurring at 500 frames per second (relative to just a few devices and a specific protocol operation).

After the threshold has been set on the protocol analyzer, a data-trace capture should be started. After the capture has been invoked, and a broadcast storm event has occurred in the Expert system with notification or in the statistics screen, the time of the storm and the devices related to the storm should be carefully noted. The addresses should be noted in a log along with the time of the storm and the frame-per-second count. Most protocol analyzers provide this information before the capture is even stopped. As soon as the broadcast storm occurrence takes place, the analyzer should be immediately stopped to ensure that the internal data-trace information is still within the memory buffer of the protocol analyzer. The data trace should then be saved to a disk drive or printed to a file to ensure that the information can be reviewed. The data-trace capture should then be opened and the actual absolute storm time noted from the Expert system or the statistical screen. Based on the absolute time, it may be possible on the protocol analyzer to turn on an absolute time feature. When turned on in the data trace, the absolute time feature enables an analyst to search on the actual storm for the absolute time event. This may immediately isolate and identify the cause of the broadcast storm.

Certain protocol analyzers offer hotkey filtering to move directly within the data-trace analysis results of the storm event. Either way, by using absolute time or hotkey filtering, the broadcast storm should be located within the data-trace capture.

Other metrics can be turned on in a protocol analysis display view when examining a broadcast storm, such as relative time and packet size. After the start of the storm has been located, the key devices starting and invoking the storm should be logged. Sometimes only one or two devices cause a cyclical broadcast storm occurrence throughout an internetwork, resulting in a broadcast storm event across many different network areas. The devices communicating at the time closest to the start of the storm inside the data-trace analysis results may be the devices causing the event.

After the storm has been located, the Relative Time field should be zeroed out and the storm should be closely reviewed by examining all packets or frames involved in the storm. If 500 or 1,000 frames are involved, all frames should be closely examined by paging through the trace. After the end of the storm has been located, the time between the start of the storm and the end of the storm should be measured by using a relative time process. This is achieved by just zeroing out the relative time at the beginning of the storm occurrence and examining the cumulative relative time at the end of the sequence. This provides a clear picture of the storm device participation and processes, the packet-size generation during the storm, and the source of the storm location. The initial several packets located for the broadcast storm should be investigated for the physical, network, and transport layer addressing schemes that may relate to the storm occurrence. This helps an analyst to understand the sequence of the storm event.

This is an extremely important process in network baselining and should be engaged in proactive and reactive analysis. In proactive baselining, an analyst must configure the proper broadcast storm thresholds on the protocol analyzer. This way, the storm events will show during the network baseline session. In a troubleshooting (reactive) event, it is important to know whether certain failure occurrences or site network failures are also being reported by the users; these may relate to the time of the storm occurrence. If this is the case, just isolating and identifying the broadcast storm may make it possible to isolate the devices causing the storm or the protocol operations involved. It may then be possible to stop the storm occurrence. This will increase performance levels and optimize the network.

Detecting a Broadcast Storm - Link Analyzer

Fluke Networks served as the Distributed Analysis and Troubleshooting sponsor for the Event Network (eNet) at Interop 2005 in Las Vegas.

Various analysis products were deployed throughout the eNet to discover end-user devices, analyze traffic statistics on key links, and monitor for problems.

In an unusual case, the OptiView Link Analyzer and Protocol Expert were used to monitor the VoIP VLAN for unexplained activity.

During testing on the VoIP VLAN, phones stopped connecting to the Call Management servers. Also, calls in process suffered poor quality. Using the Local Statistics test on the OptiView Integrated Network Analyzer, broadcast traffic was discovered as using 100% of the utilization on the VoIP VLAN

A loop introduced into the network created a broadcast storm. An exhibitor at the show accidentally looped a cable in his booth, causing the broadcast event.

To be more proactive in monitoring these types of events, Link Analyzer was configured to watch for broadcast storms. Network Management Applications now are alerted when a broadcast storm occurs.

Configuring the Link Analyzer to Monitor Traffic

  1. Connect the Link Analyzer (LA) to the VoIP VLAN on a non-mirrored port. 

    Broadcast traffic on the voice network also would be forwarded to the Link Analyzer as part of the VLAN.  

  2. De-select the capture feature
    There was no need to continually capture and save potential broadcast-storm traffic, so the capture function of the LA was disabled. Only the monitor feature is used on the analyzer.
    ·Click the capture button on Protocol Expert to de-select the capture feature (as shown below)


Configuring an Excessive Broadcast Alarm

Create an alarm to alert if Broadcast levels exceeded 5% of utilization: 

  1. Right-click the Link Analyzer IMM module in the PE resource browser
  2. Select Alarms to configure the Alarm variables
  3. Select a New Alarm
  4. In the Broadcast Frames settings, set:
    ·the count to Delta
    ·the number of occurrences to 10,000
    ·the action to SNMP Trap
    ·the Interval to 1.
    This means if 10,000 broadcast packets are observed (a good amount for a Gigabit connection) during a one second time period, then Link Analyzer will send an SNMP Trap alerting that a storm is in progress.

  5. Enable the alarm by checking the enabled box on the right


Set The Destination For The SNMP Trap

To configure trap destinations for a remote Link Analyzer device:

  1. select the device in the Resource Browser
  2. select Host | Alarms Settings | SNMP Trap settings from the menu bar

    The SNMP Traps dialog box will appear.
  3. Use the Community Settings area to add or delete communities
  4. List all IP addresses for the management systems in the Trap Destinations area.

A maximum of 15 trap destinations can be assigned to each community. All alarms are sent to all specified trap destinations.

At Interop 2005, this method was used to send SNMP Traps to the Computer Associates UniCenter Network Management Platform. These traps alerted eNet engineers of unusual broadcast traffic on the VoIP network within 1 second of the event.


