We can categorize traffic into two general types; directed and broadcast traffic. In the most general sense, a broadcast is sent to anybody that wants to listen. What I’d like to talk about is how broadcasts work and what they are used for.
How broadcasts work
In general a broadcast is a special address. Different layers, in particular the hardware and network layers have specific addresses defined as broadcasts. So let’s look at each layer specifically.
This layer is normally controlled completely by hardware. It defines how the electrical signals go across the wire and how to decide what traffic you network adapter should listen to. In reality network traffic is always broadcasted to everybody on the same segment. Switches and Routers will further determine how segments are defined and may block or allow this type of traffic.
Your network adapter is setup to “listen” for a hardware address that is assigned to it. This 6 byte address is usually hard coded by the network card manufacturer. A manufacturer is assigned a group of addresses and they make sure they are all unique when shipped. When your network adapter sees an electrical signal, it decodes the Ethernet header information and checks if it’s one of the addresses it’s listening for. If it matches, then it sends the packet to the OS for more processing.
Here’s an example of the Ethernet portion of a packet.
- Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-06-5B-61-2E-7A]
+ MacAddress DestinationAddress: *BROADCAST [FF-FF-FF-FF-FF-FF]
+ MacAddress SourceAddress: Dell Computer Corp. 612E7A [00-06-5B-61-2E-7A]
UINT16 EthernetType: Internet IP (IPv4), 2048(0x800)
You can see that the Source Address is comprised of 6 bytes, 00-06-5B-61-2E-7A. The first 3 bytes, 00-06-5B, indentify it as the Dell Computer Corp. The final 3 bytes are unique and set by the manufacturer.
In wireless, all traffic is inherently broadcast based. The air is the medium, ok not really air, but the idea is that everybody sees that traffic. But again once your wireless adapter sees the traffic; it will inspect the address and if it matches, it knows to send to the OS.
Broadcasts at this layer are special addresses that are industry defined. Each NIC is configured to listen to its personal address and any broadcast related traffic. For Ethernet, the broadcast is simply an Ethernet address of FF-FF-FF-FF-FF-FF.
So for instance, if we look at an ARP packet with NM3.2, you can see that the destination address is FF-FF-FF-FF-FF-FF, and there for while be listened to by any machine that receives the packet.
Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-07-B3-29-F8-00]
The network layer in the case of IPv4 and IPv6 also does the same thing. The only difference here is that it may also include information on how to route traffic. For instance an IP address will determine if traffic is local or not for outgoing traffic.
[See http://blogs.technet.com/netmon/archive/2007/07/20/intro-to-name-resolution.aspx for more info about routing.]
When incoming traffic arrives at the IP layer, it again checks the address to see if it’s something it should be listening for. IP addresses however are not hardcoded. They are assigned and a NIC can listen on multiple IP addresses if it wants.
At this layer the broadcast again is defined as a specific IP address. For IPv4, this could be 255.255.255.255. This can also be restricted to the current sub net, so for instance 192.168.1.255 for a class C network. (For more info on IPv4 classes see http://en.wikipedia.org/wiki/Classful_network).
Why have Broadcasts?
You may have already figured this out but broadcasts are used to send information that every machine on the same segment. For instance, when IPv4 needs to see if an address is already taken it will broadcast an ARP packet and ask if an address is available. In fact, you may have already seen that ARPs tend to always be broadcasts.
Frame: Number = 41, Captured Frame Length = 60, MediaType = ETHERNET
+ Ethernet: Etype = ARP,DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-07-B3-29-F8-00]
+ Arp: Request, 192.168.100.253 asks for 192.168.100.13
Broadcasts are also used to announce general things like their names to everybody. When NETBIOS starts up, it sends out an announcement to anybody who’s listening to see if this name has been used before. When the name is heard machines called browse masters listen to these names and record them. This allows you to see all the machines on your local network. Your machine may ask the browser for a complete list.
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-1D-09-AB-5D-0A]
+ Ipv4: Src = 192.168.1.5, Dest = 192.168.1.255, Next Protocol = UDP, Packet ID = 3092, Total IP Length = 78
+ Udp: SrcPort = NETBIOS Name Service(137), DstPort = NETBIOS Name Service(137), Length = 58
+ Nbtns: Query Request for MachineX <0x00> Workstation Service
When a computer boots, often broadcasts are used to ask the DCHP server for an address. In fact each time you boot a machine without an IP address, it must use a broadcast to find and communicate with the DHCP server. The message below is discover request that is sent when a machine is looking to find its first IP address.
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[FF-FF-FF-FF-FF-FF],SourceAddress:[00-60-08-01-D3-03]
+ Ipv4: Src = 0.0.0.0, Dest = 255.255.255.255, Next Protocol = UDP, Packet ID = 288, Total IP Length = 328
+ Udp: SrcPort = BOOTP client(68), DstPort = BOOTP server(67), Length = 308
+ Dhcp: Request, MsgType = DISCOVER, TransactionID = 0x83484743
Another application, and perhaps the first thing you had in mind when you heard the word broadcast, is sending audio or video data to minimize the network utilization. Rather than sending a separate feed to everybody, you can broadcast to a general address, and NICs can then be told to listen to these special broadcast addresses. This form of broadcast is also called multicasts.
What is P-Mode?
Your NIC has a special mode called Promiscuous. This mode allows your NIC to see all traffic regardless if it’s meant for your machine or not. However, P-Mode is not necessary to see broadcast traffic as your NIC is already listening for these. By default this mode is disabled for each NIC. Even if you don’t enable P-Mode you will still see traffic where your IP or Ethernet address is not involved. This is because of the broadcast traffic. So this is why to see traffic when you click on the “Other Traffic” node in the conversation tree.
Now hopefully you’ll be able to identify broadcast traffic and understand some reasons why this kind of traffic exist. There are many other reasons broadcasts are used and IPv6 uses something similar to IPv4. Perhaps with this knowledge you can inspect traffic and make sure broadcasts are going to the intended network segments as sometimes ill configured routers/switches can make for a noisier than necessary network.