Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
 ·Windstream
 ·Charter Pipeline
edit:
May 5th, @05:58AM
| Weird Ethernet broadcast issue.
Hey guys I have a strange Ethernet broadcast issue that i cant seem to figure out.
I know an Ethernet packet with the Dest. MAC equaling FF:FF:FF:FF:FF:FF is a broadcast mac and will be sent to all switch ports throughout the broadcast domain. But what would cause 00:03:ff:63:c3:56, 00:03:ff:60:c3:56 or 00:03:ff:62:c3:56 to have the same effect?
The reason im asking is I just set up a m0n0wall router in Microsoft virtual PC 2007 on a windows 2003 server and its working good except all traffic destined for any of the 3 MAC used by it (00:03:ff:63:c3:56, 00:03:ff:60:c3:56 or 00:03:ff:62:c3:56) are sent to every port in the broadcast domain, iv attached a wireshark log to show what im talking about. (NOTE: the port being monitored has no services configured at all ie: no IP no IPv6 no nothing just the monitor)
Edit: typo in the subject |
|
Nubiatech
soy capitan
join:2007-09-02
Illinois
| said by Napsterbater  :(NOTE: the port being monitored has no services configured at all ie: no IP no IPv6 no nothing just the monitor) If you are able to capture this traffic, then either you are using a hub, or the port is setup in monitor mode.
PS. the capture file reveals a little bit more er, "info" than needed. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
 ·ViaTalk
·ViaTalk
Host:
Linksys
AT&T Midwest
| reply to Napsterbater
...And you are not port mirroring (SPAN) the VLAN to this port for monitoring? What kind of switch is running this segment? You state no IP or IPv6 is configured on this port, I assume you mean the NIC that you are capturing on has no IP protocol configuration so it can not initiate any traffic itself and should not be the destination of any traffic. |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
·Windstream
·Charter Pipeline
| This is a basic Layer 2 Switch it is an Old (so i thought till i looked it up) D-Link DSS-16+ Compact 16port switch (»www.newegg.com/Product/Product.a···7111012), these packet are going to the neighboring switch and flooding it as well (a Linksys 5 Port GigE Switch), These switch are nothing but dumb switches (Not Hubs). ALL Ports receive the traffic. |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
·Windstream
·Charter Pipeline
| reply to Nubiatech
said by Nubiatech :said by Napsterbater :(NOTE: the port being monitored has no services configured at all ie: no IP no IPv6 no nothing just the monitor) If you are able to capture this traffic, then either you are using a hub, or the port is setup in monitor mode. PS. the capture file reveals a little bit more er, "info" than needed. Just to be clear the port is not in "Monitor Mode" I meant only wire shark is running on that port from a Win 2003 Server with Nothing checked in the Network properties except for "Network Monitor Driver" from wireshark, plus i can see every connected ports traffic light blinking at the same time from the traffic, then of course there is the normal traffic only hitting the correct ports. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
·ViaTalk
·ViaTalk
Host:
Linksys
AT&T Midwest
| If that is true, then it sounds to me like there is something wrong with that switch. It appears to be copying all packets to all ports regardless of the destination MAC address. Beyond a software or hardware issue, the only thing I can think of that would cause this kind of behavior is if something is causing the switch to flush its MAC address table very rapidly.
If a frame enters a switch destined to a MAC address it does not have a port assignment for it will copy that frame to all ports as an "unknown" unicast.
--
Ignorance is temporary...stupidity lasts forever!
»www.thewaystation.com/
»blog.thewaystation.com/ |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
·Windstream
·Charter Pipeline
| That sound plausible, I just Don't see what could be causing it, i only have 15 Devices 20 Max on the network and these are rated for 8000 MACs. When I first noticed I re-stared the whole LAN it didn't help. If Switch A (The Switch that has the MACs in question attached to it) sent that Broadcast to Switch B but B All ready had the MAC as Connected to the port going to A wouldn't B stop it right there? |
|
dadarkside
Premium
join:2006-05-20
The Moon
edit:
May 7th, @11:58AM
| reply to Napsterbater
The only time a switch will flood unicast destined traffic for a single (non broadcast MAC address) to all ports is when it doesn't have a destination port mapped for that MAC address yet.
You could try to see if your MAC table has those addresses listed, and if not, try to see why the MAC addresses in question aren't being mapped into the 16 port switch.
You could also try statically assigning the MAC addresses in question to a specific port mapping.....
Again, the only time a switch with multiple broadcast domains will flood unicast to all ports is when it doesn't know the destination port for the unicast target.
But once the unicast target responds to the broadcast, the switch is supposed to make an entry in it's forwarding table. |
|
mpier1213
join:2001-10-06
New York, NY
| reply to Napsterbater
There are not many MAC addresses in this trace. If you look you will see there are only a few that are used for non-broadcast traffic:
10.0.1.1 - is a 3Com NIC (00:26:54:13:dc:0a)
10.0.1.12 is an Asustek NIC (00:0e:a6:9d:d0:4c)
ALL other traffic is PPPoE traffic which uses the same Cisco MAC address (00:17:e0:bd:28:38).
It looks like the PPPoE/PPP adapter uses multiple IP addresses, but the same MAC address. |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
·Windstream
·Charter Pipeline
| If you notice it all traffic destined TO (well internet via NAT) 10.0.1.3 -00:03:ff:60:c3:56, pppoe adapter (via PPPoE from the DSL Modem Bridge which is the Cisco MAC) - 00:03:ff:63:c3:56 (PPPoE Adapter is hooked to the switch with the DSL modem, and yes there is a reason) and 10.0.0.1 - 00:03:ff:62:c3:56, those are the MACs/IPs of a MS Virtual PC 2007 with m0n0wall running, m0n0wall has 3 vNics attached to 1 port of the server running MS V PC (If you think about it's like having a 5 port switch with 1 hooked to the server 3 to a m0n0wall and 1 back to the 16 port)
p.s.: These switches as I said before are dumb no management. |
|
