This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture shows other hosts information

0

Hi,

I started wireshark on my notebook to capture what was going on my NIC, but I am surprised to see other hosts communications not destinated for my NIC as well (note that my switchport is not configured in span mode). I am having ip address of 172.16.224.162.

Address A,Address B,Packets,Bytes,Packets A->B,Bytes A->B,Packets A<-B,Bytes A<-B,Rel Start,Duration,bps A->B,bps A<-B 172.25.219.2,224.0.0.10,17,1258,17,1258,0,0,0.057954000,73.6765,136.60,N/A 172.16.224.129,224.0.0.10,17,1258,17,1258,0,0,3.172119000,72.4497,138.91,N/A 172.16.224.162,172.25.218.16,111,33433,53,10370,58,23063,4.771098000,61.9298,1339.58,2979.24 172.16.224.162,172.25.221.18,9,1534,6,964,3,570,16.455411000,60.7066,127.04,75.12 172.16.224.209,172.25.221.18,2,120,0,0,2,120,18.893031000,0.0021,N/A,458891.01 172.16.224.195,172.25.221.18,2,120,0,0,2,120,18.893376000,0.0008,N/A,1166464.16 172.16.224.184,172.25.218.16,1,304,0,0,1,304,34.119187000,0.0000,N/A,N/A 172.16.224.210,172.16.224.255,6,552,6,552,0,0,44.369611000,3.7658,1172.66,N/A 172.16.224.206,255.255.255.255,1,342,1,342,0,0,45.879366000,0.0000,N/A,N/A 172.16.224.196,172.16.224.255,34,3633,34,3633,0,0,46.496769000,30.6426,948.48,N/A 172.16.224.162,172.25.218.13,138,84042,61,10937,77,73105,72.798605000,1.2638,69231.05,462753.58

asked 11 Apr '11, 02:28

Benson%20Low's gravatar image

Benson Low
1111
accept rate: 0%

edited 26 Feb '12, 22:24

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

0

This happens quite frequently in most networks. As soon as the switch does not know the MAC address of a destination node (because either the station wasn't addressed before or, more likely, the MAC address table entry got discarded after a while) he has to flood the frame to all ports. As soon as the destination node answers the switch will learn which port the MAC is at, and forward all further frames directly.

You should always see just one single frame to a destination MAC like that, and none of the following frames after the MAC was learned. Exception is, if the destination MAC does not answer at all, but in that case you'll just see multiple retries to get the frame delivered from the source.

answered 11 Apr '11, 03:25

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper,

Thanks, it does make sense. But if the mac address is unknown, is there suppose to be a arp broadcast to learn the mac address? what i am seeing is a unicast layer2 instead of a broadcast, unless we are talking about mac address table has aged out at the switch level.

Appreciate if you could enlighten me on these. :)

(11 Apr '11, 22:45) Benson Low
1

Correct, if the sender doesn't know the MAC address you should see an ARP broadcast containing a request for the MAC to an IP address. What you probably have there is that the sending node does still know the MAC address (or has a static entry for it), but the switch forgot about it. I saw this a lot when there was a long MAC caching time on workstations but a lot shorter caching time on the switches.

(11 Apr '11, 23:40) Jasper ♦♦
2

One of the most common sources for flooding is asymmetric routing. When traffic from the host follows a different path as traffic to the host, a switch along the path might not see the traffic coming from the host and therefor it ages out the entry for the host in the forwarding table. As the ARP timeout is usually larger than the aging timer on a switch (on cisco the default arp timeout is 4 hours and the mac aging timer is 5 minutes), the traffic towards the host starts to get flooded once the mac aging timer runs out until the host sends out a broadcast.

(12 Apr '11, 00:35) SYN-bit ♦♦