How to Find the Culprit of a Broadcast Storm

Broadcast Storms Have a Tendency to Grow Exponentially

A former student of mine just emailed me to ask a question: “Any tips for tracking down the originator of an ARP/Broadcast storm?  It seems to be happening daily from 0700-0800, almost like it's scheduled.”

Two ways to approach on that:

1. Check the stats on the switch, and see which interface/port is transmitting the most number of packets at that time period. Then check the CAM and ARP tables to figure out an IP address, then use nslookup on the IP  (~% nslookup Interface > MAC > IP > Hostnam

2. Sniff them out. Plug your laptop into the same vlan that is having the storm. Capture for a minute or two, and then stop.  It won’t take long to get what you need during a storm.  In Wireshark, go to Statistics | Conversations | Ethernet.  Sort by number of packets.  There is your culprit in the top slot.  Then right click on the MAC address and filter for it. Now go to Statistics | Conversations | IP and check the “limit to display filter” button.  There is your culprit’s IP.  Use nslookup to find the hostname, or (now that it is filtered) see if there is SMB browser announcement traffic, that packet would show the hostname.

Mystery solved.

Written by Betty DuBois - Originally Posted November 30, 2017