This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Seeing frames destined for other machines, why?

0

This is not a wireshark question but a general networking question. My machine running wireshark on the adapter in promiscuous mode sometimes receives frames destined for another machine on the subnet even though the network is fully switched, why?

my machine's mac address is :aa:bb:cc:xx:yy:zz, in promiscuous mode, no ip other machine's mac address is : aa:bb:cc:kk:ll:mm, ip:192.168.101.2 Internet server : ip:64.208.138.115

Now why is my machine receiving some frames of the conversation between 192.168.101.2 <-> 64.208.138.115 even though the machines are connected to a switch? one reason could be that the switch did not know the mac address for 192.168.101.2 and decided to flood all ports with the frame maybe ?

Tushar.

asked 16 Jan '14, 13:59

tushar's gravatar image

tushar
11224
accept rate: 0%


One Answer:

1

The last sentence of your question is the answer. Switches "forget" learned MAC addresses every once in a while to allow them to be refreshed, and for that one packet will be flooded.

answered 16 Jan '14, 14:06

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you Jasper!

-Tushar.

(16 Jan '14, 15:01) tushar