This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

My Laptop interface connected into Cisco 3550 switch is seeing lots of other Source IP’s

0

I ran a 2 minute capture and I see many other IP's TCP traffic (source & destination). My understanding is I should only see my own laptops IP traffic and maybe broadcast traffic. We have 12 switches all plugged into a Cisco 6506 backbone. When I plug directly into other switches I also see other IP's TCP traffic. Any help would be appreciated. One thing I have read is mac address table may be full. I have checked the switch I am in and it had only 147 addresses. Maybe the backbones mac address table is full??

asked 21 Oct '11, 05:36

Forst's gravatar image

Forst
1111
accept rate: 0%


One Answer:

0

To see other IP's as source should not be alarming, as long as they send broadcast and multicast traffic. If you see the IP of other systems as destination in a unicast packet, that indicates flooding.

Flooding occurs when a switch does not know where to send the traffic. That can be caused by a full table, which is not the case in your case. It could also be caused by asymmetric routing. Also Microsoft Network Loadbalancing is a notorious source for flooding.

So have a good look at the mac and ip addresses of the traffic you did not expect to find out the cause.

answered 21 Oct '11, 05:51

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I do see that a lot of the traffic is MS-NLB_VirtServer_0a:00,etc. And we do have 2 sets of servers running unicast load balancing with dual nics plugged directly into the Cisco 6506 Switch. Could this be the cause and what recommendations? I have read to put load balanced servers into a hub and plug the hub into the switch...

(21 Oct '11, 13:22) Forst

That MS-NLB_VirtServer is simply the probe/heartbeat packets used by the load-balancing drive to make sure the which interfaces are working, and to allow load-balancing not to break the network. I don't see any reason why MS load-balancing shouldn't work with a switch directly - people don't make hubs these days.

That said, I assume you know that almost no real people actually use MS load-balancing in the enterprise? Most that I have heard that implement it regret it (though not sure of the real reasons to be honest) I would strongly recommend something like a F5 LTM instead

(22 Oct '11, 21:58) martyvis