Network Troubleshooting: Broadcast Analysis 101

When I'm working at a client site, I always start a packet capture -- with the client's permission of course -- and stop after approximately 1,000 packets. Then I review the various protocols and services sent out on the wire by any network-connected device. I will see packets from clients, servers, phones, printers, switches, routers, and other devices. I do not need a tsp, mirror/span port to do this broadcast analysis.

By analyzing this traffic, I can make suggestions to clean up  "space junk" (all those unnecessary packets) floating around the network. The benefits of going through this exercise are many. For example, you will have fewer packets to sift through when performing network troubleshooting. In some cases, it will be easy to pinpoint problems. In extreme cases, I have seen standard configurations cause broadcast storms that were easily fixed by cleaning up the desktop standard configuration. In other cases, I have found problems such as misconfigured load balancing and misconfigured ip helper addresses. 

I encourage you to take a quick sample of your network traffic and give it a try.  You will be surprised at what you find.

In this video, I cover STP, LLDP, CDP, NTP, LLMNR, IPv6 and SSDP, what they look like in your trace, and what to do when you come across them. I also discuss how you can streamline your analysis by  leveraging the Protocol Hierarchy and Endpoint report features in Wireshark. If you are using another protocol analyzer, poke around and you should find similar reports.