Question : Analyzing network traffic

Hi, ran a sniffer for a few seconds and saw this

    Source                               Dest              Protocol      INFO
02:01:00:00:00:00     ----->  Broadcast          0x886f      MS   NLB  Hearbeat


I'm seeing a lot of this traffic. It is 80% of the traffic. Anyone have any idea what it is?

2. Also, the STP protocol is running on my network and I only have one switch in my lab. Why would this be running? (I did have another switch before, but removed it)

3. I'm also noticing the CDP protocol is running on my switch. It is doing the following:

Source                                   Dest                    Protocol       INFO
00:90:f2:44:ae:01           01:00:0c:cc:cc:cc         CDP/VTP      Cisco Discovery Protocol

I know what CDP is for, but what is up with that destination MAC address?

Answer : Analyzing network traffic

1. it means that there is at least one node running W2K ADV SVR's NLB (netowrk load balancing) service on your network. NLB will generate a huge traffic in the network, as what you have seen. you may NOT locate the node by its MAC address directly, because NLB use VIRTUAL MAC address instead. commonly, a good networking design for NLB is to use an individual and isolated network for heartbeat communication.

2. if you have only ONE switch on the netowork and NO VLAN deployed, you may consider to dsiable STP, to avoid the 30-second delay in packet forwarding from a port when a switch reconfigures.

3. "01:00:0c:cc:cc:cc" is a multicast address, used for locating other CDP enabled network neighbors.

hope it helps,
bbao