HP接入点从非IP地址发送多播数据包

我不是我们正常的网络专家...我刚刚被征召来解决这个问题，所以请多多包涵。

我们有一个相当大的网络（约4,000台设备？），主要由HP Procurve设备组成。在过去的几周中，我们不时收到一些广播风暴，这些风暴几乎阻止了所有其他流量通过网络发送。我将Wireshark设置为进行5MB转储，今天早上我在其中发现了其中的一些内容。

您可以下载数据包捕获。乐趣始于数据包＃23968。看似格式错误的NBNS数据包一遍又一遍地重复。但是，这不只是一个直线循环。源（143.226.8.185）和目标（143.226.44.79）IP地址保持不变，但源MAC地址会更改。第一个数据包似乎来自网络上一些无关紧要的设备，并被发送到多播地址01：00：5e：7f：ff：fa。之后的所有数据包都来自我们HP无线访问点的MAC地址，并被发送到其他多播地址01：00：5e：62：2c：4f。

这是第一个数据包：

No.     Time        Source                Destination           Protocol Info
  23968 122.229240  143.226.8.185         143.226.44.79         NBNS     Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]

Frame 23968 (1038 bytes on wire, 1038 bytes captured)
    Arrival Time: Sep 15, 2010 08:32:44.329966000
    [Time delta from previous captured frame: 0.004744000 seconds]
    [Time delta from previous displayed frame: 0.004744000 seconds]
    [Time since reference or first frame: 122.229240000 seconds]
    Frame Number: 23968
    Frame Length: 1038 bytes
    Capture Length: 1038 bytes
    [Frame is marked: True]
    [Protocols in frame: eth:ip:udp:nbns]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b), Dst: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
    Destination: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
        Address: IPv4mcast_7f:ff:fa (01:00:5e:7f:ff:fa)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
        Address: IntelCor_d2:5e:6b (00:1f:3b:d2:5e:6b)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 7773643D22687474703A2F2F736368656D61732E786D6C73...
    Frame check sequence: 0x6f70653e [incorrect, should be 0x30019938]
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 203
    Identification: 0x00d0 (208)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0xe485 [correct]
        [Good: True]
        [Bad : False]
    Source: 143.226.8.185 (143.226.8.185)
    Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
    Source port: netbios-ns (137)
    Destination port: netbios-ns (137)
    Length: 183
    Checksum: 0x01db [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
NetBIOS Name Service
    Transaction ID: 0x4d2d
    Flags: 0x5345 (Unknown operation)
        0... .... .... .... = Response: Message is a query
        .101 0... .... .... = Opcode: Unknown (10)
        .... ..1. .... .... = Truncated: Message is truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... ...0 .... = Broadcast: Not a broadcast packet
    Questions: 16722
    Answer RRs: 17224
    Authority RRs: 8234
    Additional RRs: 8264
    Queries
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (12081)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (11631)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25701)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25914)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25970)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (18273)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (24953)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (26979)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (3338)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (14882)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (28730)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25455)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (8717)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (28513)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (29287)
[Malformed Packet: NBNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

这是下一个数据包：

No.     Time        Source                Destination           Protocol Info
  23969 122.229836  143.226.8.185         143.226.44.79         NBNS     Unknown operation (10) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding) unknown Illegal NetBIOS name (1st character not between A and Z in first-level encoding)[Malformed Packet]

Frame 23969 (217 bytes on wire, 217 bytes captured)
    Arrival Time: Sep 15, 2010 08:32:44.330562000
    [Time delta from previous captured frame: 0.000596000 seconds]
    [Time delta from previous displayed frame: 0.000596000 seconds]
    [Time since reference or first frame: 122.229836000 seconds]
    Frame Number: 23969
    Frame Length: 217 bytes
    Capture Length: 217 bytes
    [Frame is marked: True]
    [Protocols in frame: eth:ip:udp:nbns]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: HewlettP_05:de:da (00:17:a4:05:de:da), Dst: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
    Destination: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
        Address: IPv4mcast_62:2c:4f (01:00:5e:62:2c:4f)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: HewlettP_05:de:da (00:17:a4:05:de:da)
        Address: HewlettP_05:de:da (00:17:a4:05:de:da)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 143.226.8.185 (143.226.8.185), Dst: 143.226.44.79 (143.226.44.79)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 203
    Identification: 0x00d0 (208)
    Flags: 0x00
        0.. = Reserved bit: Not Set
        .0. = Don't fragment: Not Set
        ..0 = More fragments: Not Set
    Fragment offset: 0
    Time to live: 127
    Protocol: UDP (0x11)
    Header checksum: 0xe585 [correct]
        [Good: True]
        [Bad : False]
    Source: 143.226.8.185 (143.226.8.185)
    Destination: 143.226.44.79 (143.226.44.79)
User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns (137)
    Source port: netbios-ns (137)
    Destination port: netbios-ns (137)
    Length: 183
    Checksum: 0x01db [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
NetBIOS Name Service
    Transaction ID: 0x4d2d
    Flags: 0x5345 (Unknown operation)
        0... .... .... .... = Response: Message is a query
        .101 0... .... .... = Opcode: Unknown (10)
        .... ..1. .... .... = Truncated: Message is truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... ...0 .... = Broadcast: Not a broadcast packet
    Questions: 16722
    Answer RRs: 17224
    Authority RRs: 8234
    Additional RRs: 8264
    Queries
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (12081)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (12081)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (11631)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (11631)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25701)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25701)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25914)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25914)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25970)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25970)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (18273)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (18273)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (24953)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (24953)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (26979)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (26979)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (3338)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (3338)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (14882)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (14882)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28730)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (28730)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (25455)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (25455)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (8717)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (8717)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (28513)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (28513)
        Illegal NetBIOS name (1st character not between A and Z in first-level encoding): type unknown, class Unknown (29287)
            Name: Illegal NetBIOS name (1st character not between A and Z in first-level encoding)
            Type: unknown
            Class: Unknown (29287)
[Malformed Packet: NBNS]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]

疯了，不是吗？如果查看数据包捕获，那之后您将看到很多重复的数据包。此后，它又不断地进入另外几个文件。

如果这是一个循环，那么为什么仅我们的AP会在周围发送此数据包？这些AP遍布我们的校园。

有关我们网络的更多信息...一切平坦。直以太网运行于所有事物，并且我们拥有IP的B类块。没有子网。在我们的网络和WAN连接之间有一个数据包整形器，防火墙和路由器。

最后，如果您看到此帖子并且对您似乎很熟悉，那是因为过去我发布了一个类似的问题，但我们尚未解决，但最近却没有看到。这可以在发送多播ping请求的HP交换机上找到。

非常感谢您的宝贵时间！

编辑：确认数据包23968是此多播风暴的触发。我已经将那个数据包重播到了我们的网络中，然后又开始了。

编辑/更新：做更多的实验。我已经采用了我们的HP接入点之一，并将其​​直接插入PC。该段没有其他内容。如果我将导致问题的初始数据包重播给AP，则AP会回复一次。如果我将AP的答复重播回AP，它将再次答复。每次这样做，TTL都会降低。此处发生的情况是网络上的AP最初从主机听到断开的多播数据包，然后通过多播回复它。每个AP都会听到其他所有AP的答复，并且会回复它们。每个AP都听到对所有答复的答复，并对其进行答复。幸运的是，它每次都会降低TTL，因此一旦TTL变为0，数据包就被杀死，风暴就消失了。现在，我需要做的就是弄清楚如何停止这种行为！

我面前的AP是HP Procruve 420 J8130B。

编辑（已解决！）： 似乎尝试了AP上的每个配置设置之后，我仍然无法阻止它重新传输那些多播数据包。我发现我们没有使用最新的固件，因此我尝试升级，但是问题仍然存在。然后，我尝试从2006年11月29日降级到2.1.7版。此固件没有问题！运行2.1.7的AP不会重传数据包！！！！我仍在等待弄清楚垃圾数据是如何首先从网络上获取的，但问题现在已经解决。我们正在与HP进行错误报告。

首先，这些不是NBNS数据包，它们实际上是通用即插即用数据包，试图搜索启用了“ Internet网关设备”的设备。UPNP-IGD使用IPv4组播定位此类边缘设备。这样的协议说应该只有一个。赠品在数据包有效载荷中：

M-SEARCH * HTTP / 1.1
主持人：239.255.255.250：1900
ST：urn：schemas-upnp-org：device：InternetGatewayDevice：1
男人：“ ssdp：发现”
MX：3

.xmlsoap.org / ws / 2004/08 / addressing” xmlns：

一些应用程序使用IGD来告诉消费者NAT网关如何处理某些协议的NAT遍历。IM应用程序等。您可以通过告诉Wireshark将UDP / 137解码为HTTP进行捕获，从而更好地显示事物。

现在，为什么这会引起多播风暴是个大问题。在暴风雨来临之前，您会收到相同类型的数据包，但它们已正确发送到239.255.255.250:1900。实际上，数据包23955来自于引发23968风暴的同一台设备。但是，数据包23968显示了相同的目标MAC地址（一个表示IPv4组播），但是目标IP地址在您的/ 16块中，因此不应多播。

数据包23604的格式也很不正确。它有一个有效的以太网头，但是IP头却被截断了，并以我上面引用的相同UPNP-IGD字符串结尾。发出此奇怪的奇怪数据包的设备与引发多播风暴的数据包23968是同一设备（好吧，无论如何来自相同的MAC地址）。

最好的选择是，设备在00：1F：3B：D2：5E：6D处以某种方式连接，或者独特地无法正确处理这些UPNP搜索请求。数据包24717显示了另一个前往同一设备的239.255.255.250:3702的M-SEARCH请求。正确的IP地址，错误的端口（应为1900）。

我的猜测是，多播风暴正在由单播IP地址和多播MAC地址一起到达的数据包引发，并且您的网络设备无法正确处理这种无效情况。这暗示了一个事实，即最初的一个之后的数据包都声称是从同一IP（143.226.8.185）发出的，但是MAC地址都不同。您有一个损坏的设备，该设备设法在网络设备的多播/单播处理中发现了一个错误。

@Brad：我刚刚看到了这个，想知道它是否可以使您对问题有任何了解。

http://support.microsoft.com/kb/317843

我的建议是在正在发送广播的主机中打开任务管理器，并尝试一对一关闭可能将某些内容发送到网络的所有应用程序，同时查看网络中的软件包（Wireshark）以进行搜索对于出现问题的应用程序。