This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

syslog traffic

0

If I am capturing with wireshark on 192.168.2.10/22 computer, which is connected to a non-mirrored port of the switch, should I be seeing Syslog traffic sourced from 192.168.5.1/24 which has 192.168.3.100/22 as destination? Inter vlan routing is allowed between subnets.

asked 05 Dec '13, 07:45

net_tech's gravatar image

net_tech
116303337
accept rate: 13%

edited 05 Dec '13, 08:10

One Answer:

2

should I be seeing Syslog traffic

Only in the following cases

  • you believe there is no port mirroring enabled, but it is!
  • The Wireshark PC is the same system as the syslog server and IP 192.168.2.10 is just a secondary address on that system.
  • traffic to 192.168.3.100 is sent to the broadcast MAC address (ff:ff:ff:ff:ff:ff), which would be rather silly.
  • traffic to 192.168.3.100 is sent to a multicast MAC address (first bit of first octet eq 1). In that case the switch will flood the packet to every port in the VLAN. Reason for a multicast MAC: Some cluster software on the server 192.168.3.100 or a load balancer that handles the IP.
  • The switch does not know the MAC address/port relation for 192.168.3.100 (CAM table timeout) and thus it must flood the packet to every port in the VLAN. This will happen only once in a while.
  • The switch got flooded with (fake) MAC addresses, causing a CAM table overflow, and thus it switched to 'fail-open mode' which makes it basically a HUB. Reason: A bogus device or an attacker.
  • a bug in the switch firmware

In all other cases you should not see that traffic in Wireshark.

Regards
Kurt

answered 05 Dec '13, 08:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 05 Dec '13, 13:27

none of the cases apply, but based on your answer I think it's a problem with inter vlan routing configured on the switch.

(05 Dec '13, 08:42) net_tech

this is not related to (any form of) routing. If you see a frame on a switch port where is should not appear is solely a switch problem, according to the reasons I mentioned above.

(05 Dec '13, 09:15) Kurt Knochner ♦

since you edited your post with an additional case "a bug in the switch firmware". I am gonna go with it.

a mac address for 192.168.3.100 was not in switches ARP table, pinging 192.168.3.100 from the switch added the mac address to the arp table on the switch and prevented ALL network devices from seeing syslog traffic except for the device it was destined to.

(05 Dec '13, 10:26) net_tech

Here is an update on the issue. Since syslog messages are sent over UDP, 192.168.5.1/24 does not receive any acknowledgments from 192.168.3.100 and MAC address of 192.168.3.100 falls out of the MAC address table after a default time out. I said ARP table in my previous post, but I meant MAC table of the switch. According to Cisco tech support this is normal behavior and the only solution to this nuisance is to PING 192.168.3.100 from any system on either of the subnets, which by the way live on the same switch.

(05 Jan '14, 05:52) net_tech