In one of my client's networks, I received an urgent call that a remote office was disconnected from the HQ. Some network details are as follows:

• The remote office addresses are on subnet 172.30.121.0/24, with a default gateway 172.30.121.254.
• The HQ addresses are on subnet 172.30.0.0/24. The connections between the remote offices and the HQ are with L3 IP-VPNs over an MPLS network.

To solve the problem, I did the following:

• I tried to ping the servers in the HQ. I got no response.
• I called the service provider that provides the lines to the center, and they said that on their monitoring system they didn't see any load on the line.
• I pinged the local router, 172.30.121.254, and got no response. This means that PCs on the LAN couldn't even get to their local router, which is their default gateway.
• I connected a Wireshark with port-mirror to the router port, and I saw something like the following screenshot:

• I saw that a huge amount of packets were generated within microseconds (1) by a host with IP address 172.30.121.1. The packets are broadcast (3), and the service that generated them is Write Mail Slot (5), which is sent by the SMB Mailslot protocol (4).
• To get a picture of the number of packets, I used the I/O graphs feature. I got 5,000 packets per second, that generated 10 Mbps that blocked the poor old router port (changing the router port to 100 Mbps or 1 Gbps wouldn't help; it still would have been blocked.
• When I didn't find anything about it on Google or Microsoft, I started to stop services that I didn't know, keeping track of what happened with the broadcast after every change. Eventually, I found that the service that caused the problem was called LS3Bcast.exe. I stopped it and made sure it didn't come back, and that was it.