This is a static archive of our old Q&A Site. Please post any new questions and answers at

syslog traffic


If I am capturing with wireshark on computer, which is connected to a non-mirrored port of the switch, should I be seeing Syslog traffic sourced from which has as destination? Inter vlan routing is allowed between subnets.

asked 05 Dec '13, 07:45

net_tech's gravatar image

accept rate: 13%

edited 05 Dec '13, 08:10

One Answer:


should I be seeing Syslog traffic

Only in the following cases

  • you believe there is no port mirroring enabled, but it is!
  • The Wireshark PC is the same system as the syslog server and IP is just a secondary address on that system.
  • traffic to is sent to the broadcast MAC address (ff:ff:ff:ff:ff:ff), which would be rather silly.
  • traffic to is sent to a multicast MAC address (first bit of first octet eq 1). In that case the switch will flood the packet to every port in the VLAN. Reason for a multicast MAC: Some cluster software on the server or a load balancer that handles the IP.
  • The switch does not know the MAC address/port relation for (CAM table timeout) and thus it must flood the packet to every port in the VLAN. This will happen only once in a while.
  • The switch got flooded with (fake) MAC addresses, causing a CAM table overflow, and thus it switched to 'fail-open mode' which makes it basically a HUB. Reason: A bogus device or an attacker.
  • a bug in the switch firmware

In all other cases you should not see that traffic in Wireshark.


answered 05 Dec '13, 08:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 05 Dec '13, 13:27

none of the cases apply, but based on your answer I think it's a problem with inter vlan routing configured on the switch.

(05 Dec '13, 08:42) net_tech

this is not related to (any form of) routing. If you see a frame on a switch port where is should not appear is solely a switch problem, according to the reasons I mentioned above.

(05 Dec '13, 09:15) Kurt Knochner ♦

since you edited your post with an additional case "a bug in the switch firmware". I am gonna go with it.

a mac address for was not in switches ARP table, pinging from the switch added the mac address to the arp table on the switch and prevented ALL network devices from seeing syslog traffic except for the device it was destined to.

(05 Dec '13, 10:26) net_tech

Here is an update on the issue. Since syslog messages are sent over UDP, does not receive any acknowledgments from and MAC address of falls out of the MAC address table after a default time out. I said ARP table in my previous post, but I meant MAC table of the switch. According to Cisco tech support this is normal behavior and the only solution to this nuisance is to PING from any system on either of the subnets, which by the way live on the same switch.

(05 Jan '14, 05:52) net_tech