Massive amount of broadcasts from a server.

Hello-

First let me explain to you the History of this server so you will
understand a little more.

I had an older server named mason-1 which I was replacing. I built the
new server and named the new server mason-2 so as to not have a name
conflict. When the new server was running as it should I decomissioned
the old and renamed the new server to mason-1. Keep in mind there is
no AD in the picture at this point.

Since then I have installed Active Directory on it (it is the forest
root domain controller and the only DC in the forest/domain) along with
exchange and MSSQL for CRM 3.0. I have noticed over the past several
months that all of the lights on my switches, router and WAP's blink
constantly even when there should be minimal or no network activity.
It has caused my firewall to lock up several times and also seems to
slow the network a bit. So I finally decided to investigate it and
narrowed it down to the server (mason-1). When I unplug the server
from the network all lights cease to blink and only blink when there is
activity between 2 nodes. When I plug it back in...they all start to
blink again.

I installed network monitor that is included with windows server 2003
(enterprise edition) and ran a capture for sixty (60) seconds. Over
that 60 seconds I captured 325 broadcasts (5.5 per second). On a
network with 5 computers currently that is not right.

I looked into the broadcasts in network monitor and it appears that the
server is broadcasting to find the address for Mason-2, even though
this server is no longer named that and there is no mason-2 on the
network. (Keep in mind the server was renamed before AD was even a
thought).

The output of network monitor for one of the broadcasts looks like
this, all broadcasts are identical:

147 44.156250 LOCAL *BROADCAST NBT NS: Query req. for MASON-2
<00> MASON-1 192.168.0.255 IP

FRAME: Base frame properties
FRAME: Time of capture = 11/21/2006 10:45:02 PM
FRAME: Time delta from previous physical frame: 46875 microseconds
FRAME: Frame number: 147
FRAME: Total frame length: 92 bytes
FRAME: Capture frame length: 92 bytes
FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = FFFFFFFFFFFF
ETHERNET: 1....... = Group address
ETHERNET: .1...... = Locally administered address
ETHERNET: Source address = 000FEA3DB73D
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 464; Total IP Length =
78; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 78 (0x4E)
IP: Identification = 464 (0x1D0)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 46715 (0xB67B)
IP: Source Address = 192.168.0.4
IP: Destination Address = 192.168.0.255
UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name
Service (137); Length = 58 (0x3A)
UDP: Source Port = NETBIOS Name Service
UDP: Destination Port = NETBIOS Name Service
UDP: Total length = 58 (0x3A)
UDP: UDP Checksum = 0x49CD
NBT: NS: Query req. for MASON-2 <00>
NBT: Transaction ID = 49110 (0xBFD6)
NBT: Flags Summary = 0x0110 - Req.; Query; Success
NBT: 0............... = Request
NBT: .0000........... = Query
NBT: .....0.......... = Non-authoritative Answer
NBT: ......0......... = Datagram not truncated
NBT: .......1........ = Recursion desired
NBT: ........0....... = Recursion not available
NBT: .........0...... = Reserved
NBT: ..........0..... = Reserved
NBT: ...........1.... = Broadcast packet
NBT: ............0000 = Success
NBT: Question Count = 1 (0x1)
NBT: Answer Count = 0 (0x0)
NBT: Name Service Count = 0 (0x0)
NBT: Additional Record Count = 0 (0x0)
NBT: Question Name =MASON-2 <00>
NBT: Question Type = General Name Service
NBT: Question Class = Internet Class
00000: FF FF FF FF FF FF 00 0F EA 3D B7 3D 08 00 45 00
ÿÿÿÿÿÿ..ê=·=..E.
00010: 00 4E 01 D0 00 00 80 11 B6 7B C0 A8 00 04 C0 A8
..N.Ð..€.¶{À¨..À¨
00020: 00 FF 00 89 00 89 00 3A 49 CD BF D6 01 10 00 01
..ÿ.‰.‰.:IÍ¿Ö....
00030: 00 00 00 00 00 00 20 45 4E 45 42 46 44 45 50 45 ......
ENEBFDEPE
00040: 4F 43 4E 44 43 43 41 43 41 43 41 43 41 43 41 43
OCNDCCACACACACAC
00050: 41 43 41 43 41 41 41 00 00 20 00 01 ACACAAA.. ..


Can anyone advise me on how to get "mason-2" out of its head so it will
cease broadcasting for it?

Thanks very much
/Ehren

Is the server trying to replicate to another domain control which it cannot
contact? There should be some errors about this in the event log.


"Wingnut" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
Hello-

First let me explain to you the History of this server so you will
understand a little more.

I had an older server named mason-1 which I was replacing. I built the
new server and named the new server mason-2 so as to not have a name
conflict. When the new server was running as it should I decomissioned
the old and renamed the new server to mason-1. Keep in mind there is
no AD in the picture at this point.

Since then I have installed Active Directory on it (it is the forest
root domain controller and the only DC in the forest/domain) along with
exchange and MSSQL for CRM 3.0. I have noticed over the past several
months that all of the lights on my switches, router and WAP's blink
constantly even when there should be minimal or no network activity.
It has caused my firewall to lock up several times and also seems to
slow the network a bit. So I finally decided to investigate it and
narrowed it down to the server (mason-1). When I unplug the server
from the network all lights cease to blink and only blink when there is
activity between 2 nodes. When I plug it back in...they all start to
blink again.

I installed network monitor that is included with windows server 2003
(enterprise edition) and ran a capture for sixty (60) seconds. Over
that 60 seconds I captured 325 broadcasts (5.5 per second). On a
network with 5 computers currently that is not right.

I looked into the broadcasts in network monitor and it appears that the
server is broadcasting to find the address for Mason-2, even though
this server is no longer named that and there is no mason-2 on the
network. (Keep in mind the server was renamed before AD was even a
thought).

The output of network monitor for one of the broadcasts looks like
this, all broadcasts are identical:

147 44.156250 LOCAL *BROADCAST NBT NS: Query req. for MASON-2
<00> MASON-1 192.168.0.255 IP

FRAME: Base frame properties
FRAME: Time of capture = 11/21/2006 10:45:02 PM
FRAME: Time delta from previous physical frame: 46875 microseconds
FRAME: Frame number: 147
FRAME: Total frame length: 92 bytes
FRAME: Capture frame length: 92 bytes
FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = FFFFFFFFFFFF
ETHERNET: 1....... = Group address
ETHERNET: .1...... = Locally administered address
ETHERNET: Source address = 000FEA3DB73D
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 464; Total IP Length =
78; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 78 (0x4E)
IP: Identification = 464 (0x1D0)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 46715 (0xB67B)
IP: Source Address = 192.168.0.4
IP: Destination Address = 192.168.0.255
UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name
Service (137); Length = 58 (0x3A)
UDP: Source Port = NETBIOS Name Service
UDP: Destination Port = NETBIOS Name Service
UDP: Total length = 58 (0x3A)
UDP: UDP Checksum = 0x49CD
NBT: NS: Query req. for MASON-2 <00>
NBT: Transaction ID = 49110 (0xBFD6)
NBT: Flags Summary = 0x0110 - Req.; Query; Success
NBT: 0............... = Request
NBT: .0000........... = Query
NBT: .....0.......... = Non-authoritative Answer
NBT: ......0......... = Datagram not truncated
NBT: .......1........ = Recursion desired
NBT: ........0....... = Recursion not available
NBT: .........0...... = Reserved
NBT: ..........0..... = Reserved
NBT: ...........1.... = Broadcast packet
NBT: ............0000 = Success
NBT: Question Count = 1 (0x1)
NBT: Answer Count = 0 (0x0)
NBT: Name Service Count = 0 (0x0)
NBT: Additional Record Count = 0 (0x0)
NBT: Question Name =MASON-2 <00>
NBT: Question Type = General Name Service
NBT: Question Class = Internet Class
00000: FF FF FF FF FF FF 00 0F EA 3D B7 3D 08 00 45 00
ÿÿÿÿÿÿ..ê=·=..E.
00010: 00 4E 01 D0 00 00 80 11 B6 7B C0 A8 00 04 C0 A8
..N.Ð..?.¶{À¨..À¨
00020: 00 FF 00 89 00 89 00 3A 49 CD BF D6 01 10 00 01
..ÿ.?.?.:IÍ¿Ö....
00030: 00 00 00 00 00 00 20 45 4E 45 42 46 44 45 50 45 ......
ENEBFDEPE
00040: 4F 43 4E 44 43 43 41 43 41 43 41 43 41 43 41 43
OCNDCCACACACACAC
00050: 41 43 41 43 41 41 41 00 00 20 00 01 ACACAAA.. ..


Can anyone advise me on how to get "mason-2" out of its head so it will
cease broadcasting for it?

Thanks very much
/Ehren

Hi!

You should find out which NetBIOS application makes this queries. Name
resolition broadcasts can be stopped with enabling lmhosts lookup if you
add entry for old server with #PRE tag. This will not resolve your problem,
it should only stop brodcasts.

HTH

Toni

"Wingnut" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
Hello-

First let me explain to you the History of this server so you will
understand a little more.

I had an older server named mason-1 which I was replacing. I built the
new server and named the new server mason-2 so as to not have a name
conflict. When the new server was running as it should I decomissioned
the old and renamed the new server to mason-1. Keep in mind there is
no AD in the picture at this point.

Since then I have installed Active Directory on it (it is the forest
root domain controller and the only DC in the forest/domain) along with
exchange and MSSQL for CRM 3.0. I have noticed over the past several
months that all of the lights on my switches, router and WAP's blink
constantly even when there should be minimal or no network activity.
It has caused my firewall to lock up several times and also seems to
slow the network a bit. So I finally decided to investigate it and
narrowed it down to the server (mason-1). When I unplug the server
from the network all lights cease to blink and only blink when there is
activity between 2 nodes. When I plug it back in...they all start to
blink again.

I installed network monitor that is included with windows server 2003
(enterprise edition) and ran a capture for sixty (60) seconds. Over
that 60 seconds I captured 325 broadcasts (5.5 per second). On a
network with 5 computers currently that is not right.

I looked into the broadcasts in network monitor and it appears that the
server is broadcasting to find the address for Mason-2, even though
this server is no longer named that and there is no mason-2 on the
network. (Keep in mind the server was renamed before AD was even a
thought).

The output of network monitor for one of the broadcasts looks like
this, all broadcasts are identical:

147 44.156250 LOCAL *BROADCAST NBT NS: Query req. for MASON-2
<00> MASON-1 192.168.0.255 IP

FRAME: Base frame properties
FRAME: Time of capture = 11/21/2006 10:45:02 PM
FRAME: Time delta from previous physical frame: 46875 microseconds
FRAME: Frame number: 147
FRAME: Total frame length: 92 bytes
FRAME: Capture frame length: 92 bytes
FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = FFFFFFFFFFFF
ETHERNET: 1....... = Group address
ETHERNET: .1...... = Locally administered address
ETHERNET: Source address = 000FEA3DB73D
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = UDP - User Datagram; Packet ID = 464; Total IP Length =
78; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 78 (0x4E)
IP: Identification = 464 (0x1D0)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 46715 (0xB67B)
IP: Source Address = 192.168.0.4
IP: Destination Address = 192.168.0.255
UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name
Service (137); Length = 58 (0x3A)
UDP: Source Port = NETBIOS Name Service
UDP: Destination Port = NETBIOS Name Service
UDP: Total length = 58 (0x3A)
UDP: UDP Checksum = 0x49CD
NBT: NS: Query req. for MASON-2 <00>
NBT: Transaction ID = 49110 (0xBFD6)
NBT: Flags Summary = 0x0110 - Req.; Query; Success
NBT: 0............... = Request
NBT: .0000........... = Query
NBT: .....0.......... = Non-authoritative Answer
NBT: ......0......... = Datagram not truncated
NBT: .......1........ = Recursion desired
NBT: ........0....... = Recursion not available
NBT: .........0...... = Reserved
NBT: ..........0..... = Reserved
NBT: ...........1.... = Broadcast packet
NBT: ............0000 = Success
NBT: Question Count = 1 (0x1)
NBT: Answer Count = 0 (0x0)
NBT: Name Service Count = 0 (0x0)
NBT: Additional Record Count = 0 (0x0)
NBT: Question Name =MASON-2 <00>
NBT: Question Type = General Name Service
NBT: Question Class = Internet Class
00000: FF FF FF FF FF FF 00 0F EA 3D B7 3D 08 00 45 00
ÿÿÿÿÿÿ..ê=·=..E.
00010: 00 4E 01 D0 00 00 80 11 B6 7B C0 A8 00 04 C0 A8
..N.Ð..?.¶{À¨..À¨
00020: 00 FF 00 89 00 89 00 3A 49 CD BF D6 01 10 00 01
..ÿ.?.?.:IÍ¿Ö....
00030: 00 00 00 00 00 00 20 45 4E 45 42 46 44 45 50 45 ......
ENEBFDEPE
00040: 4F 43 4E 44 43 43 41 43 41 43 41 43 41 43 41 43
OCNDCCACACACACAC
00050: 41 43 41 43 41 41 41 00 00 20 00 01 ACACAAA.. ..


Can anyone advise me on how to get "mason-2" out of its head so it will
cease broadcasting for it?

Thanks very much
/Ehren

Is there any utility or way I can tell what application it is coming
from?

Can you possibly give me the full syntax of the entry for the lmhosts
file if I was to point mason-2 to the address of mason-1 since mason-2
IS mason-1?

Thanks!
T. Uranjek wrote:
> Hi!
>
> You should find out which NetBIOS application makes this queries. Name
> resolition broadcasts can be stopped with enabling lmhosts lookup if you
> add entry for old server with #PRE tag. This will not resolve your problem,
> it should only stop brodcasts.
>
> HTH
>
> Toni
>
> "Wingnut" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> Hello-
>
> First let me explain to you the History of this server so you will
> understand a little more.
>
> I had an older server named mason-1 which I was replacing. I built the
> new server and named the new server mason-2 so as to not have a name
> conflict. When the new server was running as it should I decomissioned
> the old and renamed the new server to mason-1. Keep in mind there is
> no AD in the picture at this point.
>
> Since then I have installed Active Directory on it (it is the forest
> root domain controller and the only DC in the forest/domain) along with
> exchange and MSSQL for CRM 3.0. I have noticed over the past several
> months that all of the lights on my switches, router and WAP's blink
> constantly even when there should be minimal or no network activity.
> It has caused my firewall to lock up several times and also seems to
> slow the network a bit. So I finally decided to investigate it and
> narrowed it down to the server (mason-1). When I unplug the server
> from the network all lights cease to blink and only blink when there is
> activity between 2 nodes. When I plug it back in...they all start to
> blink again.
>
> I installed network monitor that is included with windows server 2003
> (enterprise edition) and ran a capture for sixty (60) seconds. Over
> that 60 seconds I captured 325 broadcasts (5.5 per second). On a
> network with 5 computers currently that is not right.
>
> I looked into the broadcasts in network monitor and it appears that the
> server is broadcasting to find the address for Mason-2, even though
> this server is no longer named that and there is no mason-2 on the
> network. (Keep in mind the server was renamed before AD was even a
> thought).
>
> The output of network monitor for one of the broadcasts looks like
> this, all broadcasts are identical:
>
> 147 44.156250 LOCAL *BROADCAST NBT NS: Query req. for MASON-2
> <00> MASON-1 192.168.0.255 IP
>
> FRAME: Base frame properties
> FRAME: Time of capture = 11/21/2006 10:45:02 PM
> FRAME: Time delta from previous physical frame: 46875 microseconds
> FRAME: Frame number: 147
> FRAME: Total frame length: 92 bytes
> FRAME: Capture frame length: 92 bytes
> FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
> ETHERNET: EType = Internet IP (IPv4)
> ETHERNET: Destination address = FFFFFFFFFFFF
> ETHERNET: 1....... = Group address
> ETHERNET: .1...... = Locally administered address
> ETHERNET: Source address = 000FEA3DB73D
> ETHERNET: .0...... = Universally administered address
> ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
> IP: Protocol = UDP - User Datagram; Packet ID = 464; Total IP Length =
> 78; Options = No Options
> IP: Version = IPv4; Header Length = 20
> IP: 0100.... = IP Version 4
> IP: ....0101 = Header Length 20
> IP: Type of Service = Normal Service
> IP: 000..... = Precedence - Routine
> IP: ...0.... = Normal Delay
> IP: ....0... = Normal Throughput
> IP: .....0.. = Normal Reliability
> IP: ......0. = Normal Monetary Cost
> IP: Total Length = 78 (0x4E)
> IP: Identification = 464 (0x1D0)
> IP: Fragmentation Summary = 0 (0x0)
> IP: .0.............. = May fragment datagram if necessary
> IP: ..0............. = Last fragment in datagram
> IP: ...0000000000000 = Fragment Offset 0 (0x0000)
> IP: Time to Live = 128 (0x80)
> IP: Protocol = UDP - User Datagram
> IP: Checksum = 46715 (0xB67B)
> IP: Source Address = 192.168.0.4
> IP: Destination Address = 192.168.0.255
> UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name
> Service (137); Length = 58 (0x3A)
> UDP: Source Port = NETBIOS Name Service
> UDP: Destination Port = NETBIOS Name Service
> UDP: Total length = 58 (0x3A)
> UDP: UDP Checksum = 0x49CD
> NBT: NS: Query req. for MASON-2 <00>
> NBT: Transaction ID = 49110 (0xBFD6)
> NBT: Flags Summary = 0x0110 - Req.; Query; Success
> NBT: 0............... = Request
> NBT: .0000........... = Query
> NBT: .....0.......... = Non-authoritative Answer
> NBT: ......0......... = Datagram not truncated
> NBT: .......1........ = Recursion desired
> NBT: ........0....... = Recursion not available
> NBT: .........0...... = Reserved
> NBT: ..........0..... = Reserved
> NBT: ...........1.... = Broadcast packet
> NBT: ............0000 = Success
> NBT: Question Count = 1 (0x1)
> NBT: Answer Count = 0 (0x0)
> NBT: Name Service Count = 0 (0x0)
> NBT: Additional Record Count = 0 (0x0)
> NBT: Question Name =MASON-2 <00>
> NBT: Question Type = General Name Service
> NBT: Question Class = Internet Class
> 00000: FF FF FF FF FF FF 00 0F EA 3D B7 3D 08 00 45 00
> ÿÿÿÿÿÿ..ê=·=..E.
> 00010: 00 4E 01 D0 00 00 80 11 B6 7B C0 A8 00 04 C0 A8
> .N.Ð..?.¶{À¨..À¨
> 00020: 00 FF 00 89 00 89 00 3A 49 CD BF D6 01 10 00 01
> .ÿ.?.?.:IÍ¿Ö....
> 00030: 00 00 00 00 00 00 20 45 4E 45 42 46 44 45 50 45 ......
> ENEBFDEPE
> 00040: 4F 43 4E 44 43 43 41 43 41 43 41 43 41 43 41 43
> OCNDCCACACACACAC
> 00050: 41 43 41 43 41 41 41 00 00 20 00 01 ACACAAA.. ..
>
>
> Can anyone advise me on how to get "mason-2" out of its head so it will
> cease broadcasting for it?
>
> Thanks very much
> /Ehren

Hi!

You should create the following entry:

192.168.1.1 mason-2 #PRE

If you use mason-1's IP address instead of 192.168.1.1 in lmhosts file
mason-2 will be recognized as mason-1. If I am not mistaken your capture
shows code "00" which indicates "Workstation" service.

For more info: http://support.microsoft.com/kb/150800

By default lmhosts file has extension.sam which should be removed and
"nbtstat -R" command line should be used to reload NetBIOS name cache.

I believe further investigation of your problem should include the following
tool: http://www.microsoft.com/technet/sys...s/TcpView.mspx

HTH

Toni

"Wingnut" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
Is there any utility or way I can tell what application it is coming
from?

Can you possibly give me the full syntax of the entry for the lmhosts
file if I was to point mason-2 to the address of mason-1 since mason-2
IS mason-1?

Thanks!
T. Uranjek wrote:
> Hi!
>
> You should find out which NetBIOS application makes this queries. Name
> resolition broadcasts can be stopped with enabling lmhosts lookup if you
> add entry for old server with #PRE tag. This will not resolve your
> problem,
> it should only stop brodcasts.
>
> HTH
>
> Toni
>
> "Wingnut" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> Hello-
>
> First let me explain to you the History of this server so you will
> understand a little more.
>
> I had an older server named mason-1 which I was replacing. I built the
> new server and named the new server mason-2 so as to not have a name
> conflict. When the new server was running as it should I decomissioned
> the old and renamed the new server to mason-1. Keep in mind there is
> no AD in the picture at this point.
>
> Since then I have installed Active Directory on it (it is the forest
> root domain controller and the only DC in the forest/domain) along with
> exchange and MSSQL for CRM 3.0. I have noticed over the past several
> months that all of the lights on my switches, router and WAP's blink
> constantly even when there should be minimal or no network activity.
> It has caused my firewall to lock up several times and also seems to
> slow the network a bit. So I finally decided to investigate it and
> narrowed it down to the server (mason-1). When I unplug the server
> from the network all lights cease to blink and only blink when there is
> activity between 2 nodes. When I plug it back in...they all start to
> blink again.
>
> I installed network monitor that is included with windows server 2003
> (enterprise edition) and ran a capture for sixty (60) seconds. Over
> that 60 seconds I captured 325 broadcasts (5.5 per second). On a
> network with 5 computers currently that is not right.
>
> I looked into the broadcasts in network monitor and it appears that the
> server is broadcasting to find the address for Mason-2, even though
> this server is no longer named that and there is no mason-2 on the
> network. (Keep in mind the server was renamed before AD was even a
> thought).
>
> The output of network monitor for one of the broadcasts looks like
> this, all broadcasts are identical:
>
> 147 44.156250 LOCAL *BROADCAST NBT NS: Query req. for MASON-2
> <00> MASON-1 192.168.0.255 IP
>
> FRAME: Base frame properties
> FRAME: Time of capture = 11/21/2006 10:45:02 PM
> FRAME: Time delta from previous physical frame: 46875 microseconds
> FRAME: Frame number: 147
> FRAME: Total frame length: 92 bytes
> FRAME: Capture frame length: 92 bytes
> FRAME: Frame data: Number of data bytes remaining = 92 (0x005C)
> ETHERNET: EType = Internet IP (IPv4)
> ETHERNET: Destination address = FFFFFFFFFFFF
> ETHERNET: 1....... = Group address
> ETHERNET: .1...... = Locally administered address
> ETHERNET: Source address = 000FEA3DB73D
> ETHERNET: .0...... = Universally administered address
> ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
> IP: Protocol = UDP - User Datagram; Packet ID = 464; Total IP Length =
> 78; Options = No Options
> IP: Version = IPv4; Header Length = 20
> IP: 0100.... = IP Version 4
> IP: ....0101 = Header Length 20
> IP: Type of Service = Normal Service
> IP: 000..... = Precedence - Routine
> IP: ...0.... = Normal Delay
> IP: ....0... = Normal Throughput
> IP: .....0.. = Normal Reliability
> IP: ......0. = Normal Monetary Cost
> IP: Total Length = 78 (0x4E)
> IP: Identification = 464 (0x1D0)
> IP: Fragmentation Summary = 0 (0x0)
> IP: .0.............. = May fragment datagram if necessary
> IP: ..0............. = Last fragment in datagram
> IP: ...0000000000000 = Fragment Offset 0 (0x0000)
> IP: Time to Live = 128 (0x80)
> IP: Protocol = UDP - User Datagram
> IP: Checksum = 46715 (0xB67B)
> IP: Source Address = 192.168.0.4
> IP: Destination Address = 192.168.0.255
> UDP: Src Port: NETBIOS Name Service (137); Dst Port: NETBIOS Name
> Service (137); Length = 58 (0x3A)
> UDP: Source Port = NETBIOS Name Service
> UDP: Destination Port = NETBIOS Name Service
> UDP: Total length = 58 (0x3A)
> UDP: UDP Checksum = 0x49CD
> NBT: NS: Query req. for MASON-2 <00>
> NBT: Transaction ID = 49110 (0xBFD6)
> NBT: Flags Summary = 0x0110 - Req.; Query; Success
> NBT: 0............... = Request
> NBT: .0000........... = Query
> NBT: .....0.......... = Non-authoritative Answer
> NBT: ......0......... = Datagram not truncated
> NBT: .......1........ = Recursion desired
> NBT: ........0....... = Recursion not available
> NBT: .........0...... = Reserved
> NBT: ..........0..... = Reserved
> NBT: ...........1.... = Broadcast packet
> NBT: ............0000 = Success
> NBT: Question Count = 1 (0x1)
> NBT: Answer Count = 0 (0x0)
> NBT: Name Service Count = 0 (0x0)
> NBT: Additional Record Count = 0 (0x0)
> NBT: Question Name =MASON-2 <00>
> NBT: Question Type = General Name Service
> NBT: Question Class = Internet Class
> 00000: FF FF FF FF FF FF 00 0F EA 3D B7 3D 08 00 45 00
> ÿÿÿÿÿÿ..ê=·=..E.
> 00010: 00 4E 01 D0 00 00 80 11 B6 7B C0 A8 00 04 C0 A8
> .N.Ð..?.¶{À¨..À¨
> 00020: 00 FF 00 89 00 89 00 3A 49 CD BF D6 01 10 00 01
> .ÿ.?.?.:IÍ¿Ö....
> 00030: 00 00 00 00 00 00 20 45 4E 45 42 46 44 45 50 45 ......
> ENEBFDEPE
> 00040: 4F 43 4E 44 43 43 41 43 41 43 41 43 41 43 41 43
> OCNDCCACACACACAC
> 00050: 41 43 41 43 41 41 41 00 00 20 00 01 ACACAAA.. ..
>
>
> Can anyone advise me on how to get "mason-2" out of its head so it will
> cease broadcasting for it?
>
> Thanks very much
> /Ehren