I ran a packet capture on a client computer connected to a non-spanned switch port. I expected to see only broadcasts and multicast traffic. What I did get was multicast, broadcast AND - some unicast traffic to/from clients other than my capture client host. Why would I be seeing unicast traffic like this on a switched client? The capture host is running tshark 0.99.4 on Linux 2.4.27-3-686. asked 22 Sep '10, 12:15 Labnuke edited 22 Sep '10, 14:22 SYN-bit ♦♦ |
5 Answers:
Apart from the cases already mentioned by Laura, there are actually a few situations in which this is "works as designed" (so much for general network "design"):
answered 22 Sep '10, 14:20 SYN-bit ♦♦ The network is a /16 network but I don't think there are very many hosts on this LAN (<500). So would full mac-address-table really be a potential cause in this case? There is not a second router in this environment. Just a single router to outside networks. (24 Sep '10, 08:34) Labnuke |
I see this when Cisco Switch ages out a MAC address (mac aging time - default 5 minutes) but the device forwarding the traffic (usually UDP traffic) has a 4 hour ARP aging time. Try pinging the ip address of the traffic from the work station and see if it disappears. The PING will cause an ARP and the arp response will place the MAC back in all the switch tables. Are the addresses all the same subnet? We recently cleaned up a network where multiple subnets were active in the same VLAN!!! answered 29 Sep '10, 12:33 erics +1 for erics. We had a similar issue (not really a problem) with seeing traffic we weren't supposed to see on a host. We pinged the ip addresses of the traffic from the work station and sure enough, they went away. The ARP timeouts on the different devices were set to 5000 and 300. I'm gonna try and remember this nifty troubleshooting tip. Thanks. (25 Jan '11, 14:57) RobertM We just had exactly the same problem on our Cisco core - massive amount of UDP packets being broadcast out to all switch ports, strange thing was that there was an entry in the ARP cache for the destination IP, pinging the detination IP from the core solved the issue, I guess we need to look at our ARP aging times as well! Cheers erics! (12 Jun '13, 06:55) Gaz Jones |
As already pointed out ARP Cache timeout is the likely culprit. We see this a lot on networks where you have a switch pair connected to each other and each having uplinks to a router pair but they DO NOT have cross connects (an X, a bowtie, etc) between the switches and routers - kind of a horseshoe. Your device is on switch A, which is directly connected to router A. All outbound traffic will go that route, but the return traffic will possibly hit router B, which has no ARP entries for your workstation but does have an interface within the proper subnet/VLAN. So it forwards it out of that interface to Switch B which also has no ARP entry and blasts it to every port - including the cross connect, which is how the packets make it to your interface. We have argued with Cisco and Juniper about this being the result of their "best practices". You might want to keep an eye on that crosslink's utilization. There are a few remedies for this but all are dependent on your environment. answered 29 Sep '10, 12:58 GeonJay |
Ohh... ouch! That is not a great situation. Here are some possible reasons... (and you might want to update your Tshark version...)
Make sure you look at the MAC address of those "unicast" packets you are seeing as the switch is forwarding based on that address, not the IP address. Maybe the MAC destination has the multicast or broadcast bit set for some freaky reason. answered 22 Sep '10, 13:45 lchappell ♦ Thanks for the feedback. This is a Nortel BayStack 470 switch. I will confirm the mac addresses in the packet and ses what they show. I know that there is no port spanning setup so that would not be the cause of this. (24 Sep '10, 08:24) Labnuke Are you referring to the IG bit on the destination MAC? If so, that is set to 0. Based on what I see today on a capture on this host that your #1 suggestion is the correct one. That for some reason, the clients have an old address cached in ARP and the switch does not know where the device is so floods all ports with that traffic. (24 Sep '10, 10:55) Labnuke So, this then leads to the question about how often does a client on the same LAN do an ARP before communicating? I'm sure it depends on OS version and how often ARP entries timeout. But what if the traffic is coming from an external network? When will the router or layer 3 device do an ARP? (24 Sep '10, 10:58) Labnuke 1 Local routers/layer 3 devices will ARP when their ARP cache times out and - yup - you're right - it depends on the OS. As a reminder to readers - ARP packets are non-routable because they have no IP header so any ARP traffic you see is local only. (24 Sep '10, 12:11) lchappell ♦ |
I have seen this happen a couple of times to, so here's my 2 additional cents ;-)
answered 25 Sep '10, 15:23 Jasper ♦♦ |
Labnuke, I updated the title of your question to make it more general and easier for people to find. Hope you don't mind :-)
No worries - I struggled with how to set the subject to begin with.