Hello,

I have two Catalyst 9200 switches running Bengaluru Version 17.06.06a in a stacked environment.  I've been having some performance issues so I wanted to perform a packet capture.  At first I tried the easy way of just going to the switch web page and then Troubleshooting, Packet Capture.  While analyzing the capture, using Wireshark, I notice two private IP's: 192.168.1.5 and 192.168.1.6 constantly communicating with each other.  I'm thinking there's something attached to my network that shouldnt be.

I then ran Monitor Capture from the CLI and the capture does not show these addresses.  I then monitored the network traffic using Wireshark and again I dont see the addresses.  Same thing using CLI Analyzer.  My question: Does the switch web site add those two addresses during the capture or does the web site capture see more of the network than what I'm capturing using Monitor Capture (ie...not configuring it to show all the traffic)?

These two addresses do not have MACs, all zeroes.  I took all outside traffic out of the equation but the addresses are still there.  So if they are real, they are coming from something local