This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Seeing Traffic I shouldn’t

0

Please excuse my ignorance, I am a nitwit (Nerd In Training With Information Technology). I am running wireshark on my PC and seeing ton's of traffic I think I should not be seeing. For example a Server has a mapi connection to another server. I thought the idea of a switch is that that traffic is only between those two hosts? The environment I setup has 4 Brocade FCX48's in a stack in the server farm and a seperate stack of 8 fcx48's for the user's. The stacks are trunked together using 8 gbit links between the stacks. I also have a transparent ips system intercepting all traffic between the stacks (in line) and noticed it things some mac spoofing happening. I figure that is because traffic from a mac comes from one link one time and then another link another time, i.e. port-1 then later from port-2.

Could the trunk between the switch stacks be causing the traffic to be sent "everywhere" and if so what is the fix?
Thanks in advance for any advice.

asked 04 Apr '12, 16:07

nitwit's gravatar image

nitwit
1111
accept rate: 0%

I would be very interested to see if anyone has an answer on this. I am experiencing the same thing. We are using Cisco gear here but on my workstation I'm seeing a packet every now and then that has nothing to do with my IP nor is it a broadcast. These aren't full on conversations I'm seeing, just a packet here, packet there. Very strange.

(31 May '12, 10:08) davj1

One Answer:

0

I am running wireshark on my PC and seeing ton's of traffic I think I should not be seeing. For example a Server has a mapi connection to another server.

It depends where you connected your PC. If it's a simple access port on the switch you should NOT see that traffic. If the port is a mirror/span port, you SHOULD see that traffic. Please check the configuration of the switch port your PC is connected to. If the switch port is a regular access port, please try another switch port. If it's the same there, I suggest a brocade expert should check the switch configuration. One possible cause could be the switch running in fail-open mode (basically a hub), which would degrade the overall performance of your network significantly. However that's just speculation. One cannot tell, based on the amount of information given.

The stacks are trunked together using 8 gbit links between the stacks.

Is this a vendor specific link (virtual chassis link / multi chassis link (MCT) / Inter chassis link (ICL)) or is it LACP (Link Aggregation)?

I also have a transparent ips system intercepting all traffic between the stacks (in line) and noticed it things some mac spoofing happening. I figure that is because traffic from a mac comes from one link one time and then another link another time, i.e. port-1 then later from port-2.

If the IPS is between those trunk ports, I assume it's LACP (as there is usally no way to tap into vendor specific links). If it's LACP it's perfectly normal to see the same (source) MAC address on both ports, depending on the hash method defined for LACP (round-robin, L3, L4). You would also see the same MAC address on another link, for a connection to a different endpoint!

Regards
Kurt

answered 31 May '12, 10:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 31 May '12, 19:24

Kurt,

I can give some more insight to my specific situation. This was a simple TCP SYN from one machine to another. One machine on the same network as mine, the sending machine on a completely different network. No SPAN sessions are configured on my switch.

This cancels out the broadcast theory at both layer 2 and 3 and the fact that it's being routed makes the overload situation seem like a reach. I will definitely look more into that though and see if any bugs have been reported for the IOS we are running. Thanks for throwing some more options out and giving a fresh point of view.

(31 May '12, 11:09) davj1