This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Rogue Traffic

0

Hi ,

we have captured some wire shark traces from our equipment which is connected on L3 switch.

in the logs We are able to see the other devices communication/traffic (TCP messages) which is connected in same L3 switch.

Is this generic ...?

or gives some idea about traffic flow on L3 Switch with protocols.

asked 28 Feb '13, 20:31

Lokanadhareddy's gravatar image

Lokanadhareddy
1111
accept rate: 0%

edited 01 Mar '13, 02:33

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

0

Is this generic ?

as I understand your question:

  • You have a 'standard' switch (not a hub).
  • Your Wireshark machine is connected to a 'regular' switch port (access port).
  • You do see TCP traffic that is not related to your Wireshark machine

If that is all true, here are my guesses

  • You believe to have a switch, while you have a hub. In that case, you will see the whole network traffic.
  • The switch operates in fail-open mode and sends all packets to all ports. The reason for fail-open mode might be another system flooding the switch to be able to capture traffic. See http://wiki.wireshark.org/CaptureSetup/Ethernet. In that case, you will see the whole network traffic.
  • The switch port you are connected to is incidentally/accidentally a SAPN/mirror port. In that case you will see whatever traffic is mirrored to that port. Please check the switch configuration
  • You are seeing only those TCP packets that the switch needs to flood to all ports, as its MAC/CAM table timed out the entry for those MAC addresses. In that case, you should not see the whole TCP communication, but rather single packets.

Regards
Kurt

answered 01 Mar '13, 09:18

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%