Wireshark-users: Re: [Wireshark-users] High broadcast traffic
From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 23 Feb 2008 09:19:16 +0100
On Fri, Feb 22, 2008 at 07:40:54PM -0500, joans4nz wrote:
> 2008/2/20, Hansang Bae <hbae@xxxxxxxxxx>:
> >
> > joans4nz wrote:
> > > I'm a network administrator in my new job and when I ran Wireshark I saw
> > > to much ARP traffic level and Ntop show 86% broadcast traffic to.
> 
> > 86% of TOTAL traffic on your network is broadcast?

> Yes, maybe less, 70% or 60%, is to high.

> > Or just what you are seeing on your port?
> First in my port and now in other switch I ran Ntop and Wireshark.

By the very nature of a switchport, there will be mostly broad- and
multi-cast messages on a port that is connected to a system that does
not transmit any packets of it's own. This is because broadcast messages
need to be sent to every switchport and multicast messages will by 
default (ie without any multicast implementation in place) also be
sent out on every port.

So if the port does not have a system connected to it that generates
unicast packets, then the percentage can be very high. More interesting
is this situation is the absolute amount of broad/multicat packets on
the port.

Another good measure would be to span a switchport that has a server
connected to it and check the percentage of broad/multicast packets
there.

Cheers,
    Sake