How to use wireshark to find broadcast storms

This tutorial understands how you can find broadcast storms using wireshark. To identify broadcast storms or packets, the type of packets which are broadcast in nature should be identified.

There are two types of broadcast which are Layer 2 broadcast and Layer 3 broadcast. Layer 2 broadcast packets have the destination mac-address as FF-FF-FF-FF-FF-FF. Layer 3 broadcasts have destination IP address as 255.255.255.255. The destination mac-address of a layer 3 broadcast packet is FF-FF-FF-FF-FF-FF.

So all broadcast packets can identified using the wireshark filter eth.dst==FF:FF:FF:FF:FF:FF which will filter all broadcast packets on the network. The source mac-address would also give the indication as to from where the broadcast packet or storm has been initiated.


The wireshark screenshot with appropriate filter is shown below.