This is not a wireshark question but a general networking question. My machine running wireshark on the adapter in promiscuous mode sometimes receives frames destined for another machine on the subnet even though the network is fully switched, why?
my machine's mac address is :aa:bb:cc:xx:yy:zz, in promiscuous mode, no ip other machine's mac address is : aa:bb:cc:kk:ll:mm, ip:192.168.101.2 Internet server : ip:184.108.40.206
Now why is my machine receiving some frames of the conversation between 192.168.101.2 <-> 220.127.116.11 even though the machines are connected to a switch? one reason could be that the switch did not know the mac address for 192.168.101.2 and decided to flood all ports with the frame maybe ?
asked 16 Jan '14, 13:59
The last sentence of your question is the answer. Switches "forget" learned MAC addresses every once in a while to allow them to be refreshed, and for that one packet will be flooded.
answered 16 Jan '14, 14:06