Vlan – this UDP 5002 broadcast

broadcastethernetipv4pcapvlan

I hope this is an appropriate place to ask this.

I'm confused because it's a broadcast at Layer 2 but it's UDP inside a VLAN with a destination to a unicast address (Y.Y.Y.Y).

I was just wondering if someone could tell me in what scenario one might see such a specimen. I see "virtual desktop" and "vmware" so my best guess is it's a broadcast being sent out by one of the virtual machines using a virtual adapter and therefore encapsulated in VLAN 1101. I also see port 5002, radio free ethernet.

Frame 1: 348 bytes on wire (2784 bits), 348 bytes captured (2784 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Mar 14, 2014 09:56:22.074016230 EDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1394805382.074016230 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 348 bytes (2784 bits)
Capture Length: 348 bytes (2784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:vlan:ip:udp:data]
Ethernet II, Src: Vmware_80:39:6f (00:50:56:80:39:6f), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Address: Broadcast (ff:ff:ff:ff:ff:ff)
    .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
Source: Vmware_80:39:6f (00:50:56:80:39:6f)
    Address: Vmware_80:39:6f (00:50:56:80:39:6f)
    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1101
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = CFI: Canonical (0)
.... 0100 0100 1101 = ID: 1101
Type: IP (0x0800)
Internet Protocol Version 4, Src: X.X.X.X (X.X.X.X), Dst: Y.Y.Y.Y (Y.Y.Y.Y)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 334
Identification: 0x58f0 (22768)
Flags: 0x00
    0... .... = Reserved bit: Not set
    .0.. .... = Don't fragment: Not set
    ..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0x0ed6 [correct]
    [Good: True]
    [Bad: False]
Source: X.X.X.X (X.X.X.X)
Destination: Y.Y.Y.Y (Y.Y.Y.Y)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 57787 (57787), Dst Port: rfe (5002)
Source port: 57787 (57787)
Destination port: rfe (5002)
Length: 314 (bogus, payload length 310)
    [Expert Info (Error/Malformed): Bad length value 314 > IP payload length]
        [Message: Bad length value 314 > IP payload length]
        [Severity level: Error]
        [Group: Malformed]
Checksum: 0x507f [unchecked, not all data available]
    [Good Checksum: False]
    [Bad Checksum: False]
Data (302 bytes)

0000  44 52 49 4e 45 54 54 4d d1 de 97 0c c6 b9 00 00   DRINETTM........
0010  00 1e 9b 74 1c 1a 78 da fe ff ff ff 22 15 99 74   ...t..x....."..t
0020  50 99 b4 77 00 00 99 74 02 00 00 00 00 00 00 00   P..w...t........
0030  01 00 69 71 6e 2e 31 39 39 31 2d 30 35 2e 63 6f   ..iqn.1991-05.co
0040  6d 2e 6d 69 63 72 6f 73 6f 66 74 3a 64 65 73 6b   m.microsoft:desk
0050  74 6f 70 30 30 32 2e 63 6f 72 70 2e 76 69 72 74   top002.corp.virt
0060  75 61 70 72 69 73 65 2e 63 6f 6d 00 00 00 00 00   uaprise.com.....
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0120  00 00 00 00 00 00 00 00 00 00 00 00 00 00         ..............
Data: 4452494e4554544dd1de970cc6b90000001e9b741c1a78da...
[Length: 302]

Best Answer

You appear to have a VMware guest running Drobo Dashboard, and it's looking for a Drobo NAS for an iSCSI volume called iqn.1991-05.com.microsoft:desktop002.corp.virtuaprise.com. Port 5002 in this case is just a random port chosen by Drobo for this session.

The global broadcast MAC address is just your switch flooding the frame to all ports because the Drobo's MAC address is not in (or has expired out of) its CAM table. Once the switch observes a response from the Drobo, it will update its CAM table with the destination's MAC address, so subsequent frames can be properly directed to it.

Related Topic