Home > Articles, Tips & How-tos > How to Detect Possible Network Loops in Network?

How to Detect Possible Network Loops in Network?

Do you know what a network loop is? Have you ever had a network loop in your LAN? No matter you want it or not, a network loop in the LAN can bring down your whole network.

First, let’s see what a network loop is. What does a network loop do? A network loop is a network configuration there is more than one path between two computers or devices, which causes packets to be constantly repeated. This is due to the fact that a hub will blindly transmit everything it receives to all connections – other devices, such as switches and routers, might be able to reduce or eliminate this problem.

In this article, I’m going to show you how to detect the network loops in network with Capsa network analyzer 7.1?

Let’s start Capsa, and then add in the packet file into the ready-to-replay list. Without any other settings, click this icon to start replay directly.
01
To detect network loops, first we come to the Dashboard tab. The graphs show that the traffic is not big. We can conclude that, no machine is keeping sending a large sum of packets, to block the bandwidth.
02
We can sure from the Protocol tab, that only ICMP is used in the traffic. However, in Diagnosis tab, there is one record, IP TTL too low, which means a packet has passed too many routers. That is a sign od network loop.
03
And we can see the anomaly happens at IP address, one seventy two, dot sixteen, dot two zero eight, dot thirty three. Let’s start from this address. Right-click on the address, and locate it.
04
Then, go directly to the packet tab. We can see all the packets are ICMP packets. And we find the delta time between the packets is very small, and there are more than twelve thousand packets. This couldn’t be normal. Just a simple ping can’t produce so many packets, it looks like network loop a little bit.
05
To confirm our guess, we should go down to the digits in the packets. We can compare the field information of different packets, by checking the fields in this pane. While we come to the identification field, we can see there are so many packets have the same identification number. We know that one ICMP packets has its own identification number, there’s no way that so many packets have the same number. Now we are much sure it’s a network loop. But to make sure of this, we need to see another important field, TTL value. Check the Time To Live field. We can see that the same ICMP packet loops around the router, and each time it passes the router, its TTL value is reduced by one. Until its TTL value comes to zero, it’s dropped by the router. Then another packet does it again.
06
This is the end of the story. Hope you already know how to find out network loop in network with network sniffer.
A video tutorial for troubleshooting network loops is avaliable at http://www.colasoft.com/download/arp_flood_arp_spoofing_arp_poisoning_attack_solution_with_capsa.php

  1. April 27th, 2010 at 05:05 | #1

    very good information you write it very clean. I’m very lucky to get this information from

    you.

  2. April 27th, 2010 at 16:20 | #2

    It’s really well done! Respect to author.

  3. April 27th, 2010 at 23:36 | #3

    My cousin recommended this blog and she was totally right keep up the fantastic work!

  4. May 4th, 2010 at 09:12 | #4

    Genial fill someone in on and this enter helped me alot in my college assignement. Thanks you seeking your information.

  5. May 6th, 2010 at 01:15 | #5

    Really nice and impressive blog i found today.

  6. May 6th, 2010 at 02:44 | #6

    i am happy to find it thanks for sharing it here. Nice work.

  7. May 7th, 2010 at 08:59 | #7

    nice share, good

    article, very usefull for me…thank you

  8. May 8th, 2010 at 10:14 | #8

    Great article, i

    hope can know much information About it!

  9. May 10th, 2010 at 06:25 | #9

    I’ve already bookmark this article and will definitely refer this article to all my close friends and colleagues. Thanks for posting!

  10. manoj singh
    May 2nd, 2011 at 11:56 | #10

    before wrote this blog i was totally unaware of the loop network. now much more understand about the loop network . thanku so much for giving such a blog.

  11. May 12th, 2011 at 07:34 | #11

    I am not aware of network loop. Although I usually devices for some computers, it is a good thing I haven’t encountered a problem with it. Anyway, thank you for sharing this post and for sharing the link for capsa network analyzer.

  12. Munir
    February 1st, 2012 at 01:10 | #12

    Which Packet file should be used

  13. October 30th, 2012 at 16:42 | #13

    wonderful publish, very informative. I ponder why the other specialists of this sector don’t realize this. You must continue your writing. I’m confident,
    you’ve a great readers’ base already!

  14. November 2nd, 2012 at 03:11 | #14

    Nice article, im pretty sure i have a network loop. However i was wondering how you can determin where the loop is ?

  15. Alan K.
    February 6th, 2013 at 20:28 | #15

    Where do you get the packet file to test your networking with? Do you build it? I’m trying to verify a network that my VoIP vendor says must be on my network based on a Wireshark packet trace that I sent them.

  16. February 7th, 2013 at 02:24 | #16

    We capture the packets from our network or lab, we simulate all kinds of situation in our lab.Thank you

  17. Justin Glauber
    May 29th, 2013 at 07:39 | #17

    Where do you get the packet file for this step: “Let’s start Capsa, and then add in the packet file into the ready-to-replay list. Without any other settings, click this icon to start replay directly.”

  18. May 29th, 2013 at 20:17 | #18

    @Justin Glauber
    The packet files could be the trace file saved by Capsa or other network analysis applications, such as Wireshark.

  19. Shane
    July 29th, 2013 at 22:18 | #19

    This is for L3 loops where TTL changes. How about Layer 2 hops

  20. July 31st, 2013 at 00:41 | #20

    @Shane
    When there are layer 2 hops on the network, the IP identifications and the TTL values are the same. Therefore, you can go to the Packet view, locate the field Identification in the IP header information decoding section and check the Decode column to see if the values are the same, and then locate field Time to Live in the IP header information decoding section and check the Decode column to see if the values are the same. If both results are positive, you can be sure that there are layer 2 hops on the network.

  21. Jeffrey
    December 15th, 2014 at 03:13 | #21

    i have tried to follow the video to perform network loop detection, where to get ““network_loop.cscpkt” i could not find it.

  22. January 18th, 2015 at 23:23 | #22

    @Jeffrey
    The video is a tutorial one for showing Capsa users how to detect network loop. The packet file is not available for users.

  23. January 18th, 2015 at 23:30 | #23

    @Jeffrey
    The packet files could be the trace file saved by Capsa or other network analysis applications.

  1. September 20th, 2010 at 21:22 | #1