This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

LLMNR flood

0

Hello all,

I need help on LLMNR ... I have cases in my office, almost all office network connections down. when I checked using wireshark, wireshark shows that the LLMNR protocol full fill my network. I am a beginner to network and use wireshark, I do not know what to do. Please give me suggestions to solve the problem.

Thx B4

asked 03 Apr '14, 02:25

Kapten's gravatar image

Kapten
1111
accept rate: 0%


One Answer:

1

Disable LLMNR if you don't use it.

Link Local Multicast Name Resolution (LLMNR) is a protocol defined in RFC 4795 that allows both IPv6 and IPv4 hosts to perform name resolution for the names of neighboring computers without requiring a DNS server or DNS client configuration.

You can disable LLMNR requests via group policy.

Group Policy = Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution. (Enabled = Don't use LLMNR, Disabled = Use LLMNR)

answered 04 Apr '14, 12:07

Roland's gravatar image

Roland
7642415
accept rate: 13%

Thank you very much roland, This time we have disable LLMNR on some pc.. But i'am still have a homework, which is why it could happen ...what's wrong with LLMNR ?

(10 Apr '14, 21:07) Kapten

The following may (or may not) be relevant:

excessive llmnr packets from one workstation

(10 Apr '14, 21:19) Bill Meier ♦♦

I'm not sure .... My current network is 10.10.xx/16, everything is running normally, until my friend configure ip alias on a notebook (Win 7) with ip 192.168.10.29/24, then our network down. LLMNR queries are not random, only focused on one host with OS win 7, and we do not configure PAC on his browser.

(10 Apr '14, 23:36) Kapten

Full with this : 192.168.10.29 224.0.0.252 LLMNR 66 Standard query 0xcfd3 A PC57-1 . . . .

(10 Apr '14, 23:44) Kapten

If you remove the IP alias do you see the same behaviour? Is it another version of Win 7?

Check the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient \EnableMulticast

(11 Apr '14, 13:05) Roland

If ip alias removed, there are some LLMNR protocol appeared queries PC57-1, but it doesn't make my network down. I don't know this is normal or not. Sorry, I was wrong, NB with ip alias using Win 7 Pro(OEM), and PC57-1 using OS Win 8.0.

(14 Apr '14, 22:59) Kapten
showing 5 of 6 show 1 more comments