I was looking into reports at one of my customers that the "network" was slow. (File access/saving/image loading from the server taking longer than than it usually does).
The basic setup is a windows server 2012 R2 handles DNS, DHCP and AD. We have an unmanaged 24 port switch which connects the rest of the building to the server room in the basement, and a draytek router.
I tried using NetIO running on the hyperV host to test network throughput in several places around the building where some of these reports had originated, and noticed that our gigabit network is getting ~ 8 Mb/s in some areas, and only at some points (i performed 10 tests over 5 min period) other points it would get up to 100+. I decided to first start investigating a switching loop/arp flood ting up the bandwidth, while the "Data flow monitor" on the router shows relatively low activity, when i looked in wireshark i noticed the following.
wireshark screenshot
Is a screenshot from wireshark, i would notice every second or so, from 2 different hosts on the network a block of some 10-10 of these. The IP addresses being requested are not in use on the network, i checked the ARP cache and DHCP table of the router to confirm.
Is this considered a broadcast storm, and by extension a possible cause for the slow speeds experienced, or am i barking up the wrong tree here? If the latter, any advice beyond having to go on site on the weekend and try to further isolate where the bottleneck is?
Best Answer
Whatever the "Data flow monitor" on the router is, it isn't going to show you LAN traffic. LAN traffic doesn't transit the router. Only traffic destined for remote networks (the internet) will transit the router. So... the router really isn't useful in figuring out the LAN issue.
Yes, that ARP traffic is suspect. Hosts don't generally ARP for every potential ip address in the subnet unless someone is running a network scanning tool or the host is infected with malware. My guess is that you have malware on the machines that are the source of the ARP traffic and that's where I would look first.