Nubiatech
soy capitan
join:2007-09-02
Illinois
| reply to Napsterbater
Re: Weird Ethernet broadcast issue.
said by Napsterbater  :(NOTE: the port being monitored has no services configured at all ie: no IP no IPv6 no nothing just the monitor) If you are able to capture this traffic, then either you are using a hub, or the port is setup in monitor mode.
PS. the capture file reveals a little bit more er, "info" than needed. |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
clubs: 
 ·Windstream
 ·Charter Pipeline
| said by Nubiatech :said by Napsterbater :(NOTE: the port being monitored has no services configured at all ie: no IP no IPv6 no nothing just the monitor) If you are able to capture this traffic, then either you are using a hub, or the port is setup in monitor mode. PS. the capture file reveals a little bit more er, "info" than needed. Just to be clear the port is not in "Monitor Mode" I meant only wire shark is running on that port from a Win 2003 Server with Nothing checked in the Network properties except for "Network Monitor Driver" from wireshark, plus i can see every connected ports traffic light blinking at the same time from the traffic, then of course there is the normal traffic only hitting the correct ports. |
|
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| If that is true, then it sounds to me like there is something wrong with that switch. It appears to be copying all packets to all ports regardless of the destination MAC address. Beyond a software or hardware issue, the only thing I can think of that would cause this kind of behavior is if something is causing the switch to flush its MAC address table very rapidly.
If a frame enters a switch destined to a MAC address it does not have a port assignment for it will copy that frame to all ports as an "unknown" unicast.
--
Ignorance is temporary...stupidity lasts forever!
»www.thewaystation.com/
»blog.thewaystation.com/ |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
clubs:
·Windstream
·Charter Pipeline
| That sound plausible, I just Don't see what could be causing it, i only have 15 Devices 20 Max on the network and these are rated for 8000 MACs. When I first noticed I re-stared the whole LAN it didn't help. If Switch A (The Switch that has the MACs in question attached to it) sent that Broadcast to Switch B but B All ready had the MAC as Connected to the port going to A wouldn't B stop it right there? |
|
mpier1213
join:2001-10-06
New York, NY
| There are not many MAC addresses in this trace. If you look you will see there are only a few that are used for non-broadcast traffic:
10.0.1.1 - is a 3Com NIC (00:26:54:13:dc:0a)
10.0.1.12 is an Asustek NIC (00:0e:a6:9d:d0:4c)
ALL other traffic is PPPoE traffic which uses the same Cisco MAC address (00:17:e0:bd:28:38).
It looks like the PPPoE/PPP adapter uses multiple IP addresses, but the same MAC address. |
|
Napsterbater
Premium
join:2002-12-28
Milledgeville, GA
clubs:
·Windstream
·Charter Pipeline
| If you notice it all traffic destined TO (well internet via NAT) 10.0.1.3 -00:03:ff:60:c3:56, pppoe adapter (via PPPoE from the DSL Modem Bridge which is the Cisco MAC) - 00:03:ff:63:c3:56 (PPPoE Adapter is hooked to the switch with the DSL modem, and yes there is a reason) and 10.0.0.1 - 00:03:ff:62:c3:56, those are the MACs/IPs of a MS Virtual PC 2007 with m0n0wall running, m0n0wall has 3 vNics attached to 1 port of the server running MS V PC (If you think about it's like having a 5 port switch with 1 hooked to the server 3 to a m0n0wall and 1 back to the 16 port)
p.s.: These switches as I said before are dumb no management. |
|
