I ran a packet capture on a client computer connected to a non-spanned switch port. I expected to see only broadcasts and multicast traffic. What I did get was multicast, broadcast AND - some unicast traffic to/from clients other than my capture client host. Why would I be seeing unicast traffic like this on a switched client?
The capture host is running tshark 0.99.4 on Linux 2.4.27-3-686.
asked 22 Sep '10, 12:15
edited 22 Sep '10, 14:22
Apart from the cases already mentioned by Laura, there are actually a few situations in which this is "works as designed" (so much for general network "design"):
answered 22 Sep '10, 14:20
I see this when Cisco Switch ages out a MAC address (mac aging time - default 5 minutes) but the device forwarding the traffic (usually UDP traffic) has a 4 hour ARP aging time.
Try pinging the ip address of the traffic from the work station and see if it disappears. The PING will cause an ARP and the arp response will place the MAC back in all the switch tables.
Are the addresses all the same subnet? We recently cleaned up a network where multiple subnets were active in the same VLAN!!!
answered 29 Sep '10, 12:33
As already pointed out ARP Cache timeout is the likely culprit. We see this a lot on networks where you have a switch pair connected to each other and each having uplinks to a router pair but they DO NOT have cross connects (an X, a bowtie, etc) between the switches and routers - kind of a horseshoe. Your device is on switch A, which is directly connected to router A. All outbound traffic will go that route, but the return traffic will possibly hit router B, which has no ARP entries for your workstation but does have an interface within the proper subnet/VLAN. So it forwards it out of that interface to Switch B which also has no ARP entry and blasts it to every port - including the cross connect, which is how the packets make it to your interface. We have argued with Cisco and Juniper about this being the result of their "best practices". You might want to keep an eye on that crosslink's utilization. There are a few remedies for this but all are dependent on your environment.
answered 29 Sep '10, 12:58
Ohh... ouch! That is not a great situation. Here are some possible reasons... (and you might want to update your Tshark version...)
Make sure you look at the MAC address of those "unicast" packets you are seeing as the switch is forwarding based on that address, not the IP address. Maybe the MAC destination has the multicast or broadcast bit set for some freaky reason.
answered 22 Sep '10, 13:45
I have seen this happen a couple of times to, so here's my 2 additional cents ;-)
answered 25 Sep '10, 15:23