Monday, 2 February 2015

ICMPv6 Broadcast Storm - Wireshark Network Diagnostics


Wireshark Netowrk Diagnostics - ICMPv6 Broadcast Storm When i got back to work after the wonderful xmas break i made a start on installing 50 new desktop computers, so i fired up my imaging system (MDT + WDS) and imaged all of the computers no problems.
Not to long after i had finished my imaging i noticed that the network was slowly but surely grinding to a halt, all my servers kept dropping out, the wireless controller was having a fit and then pretty much everything was stuffed, i decided i needed to get wireshark running to see what was going on and straight away i was confronted with the following image below.
Wireshark
Lots of RED NOOOOOOOOOOOOOOO if you have ever used wireshark before you will know that seeing this much red is not a good thing, after 1 minute of packet capturing there was over 1 million packets, the network was literally brought to its knees.
When i stopped the capture i clicked on one of the red lines and drilled down, i found the mac address of the offending computer and then went onto the dhcp server to try to find it.
After a short while of searching i found it in the system and to my surprise it was one of the new computers i had imaged earlier in the week.
I then went on to the net to check out why it was causing issues, the network card in the new computers was the intel i217-lm, the driver i was using was the most recent one from the HP website so this should be fine right... ummmm no that would appear not to be the case, i found that the specific driver which was 12.10.30.5890 dated 16/12/2013 has issues whilst the computer is in hibernation, sending out literally millions of ipv6 requests and when you have more than one of these suckers thats when the broadcast storm starts up.
We dont use IPV6 in our network so i started the process of disabling all of the IPV6 settings on the network card, but the issue still remained so i then headed over to the intel website and found out that the driver on the HP website was sooooooo out of date, i downloaded the latest driver from the intel website and proceeded to install it on all of the other computers, once i had finished installing the driver and changed the remaining wake on lan and IPV6 settings i ran another scan in wireshark and the proof was in the pudding as per the picture below.
Wireshark 2
After a few reboots of the switches everything was operating back at a normal pace.

No comments:

Post a comment