Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
5
Helpful
1
Replies

Strange snoop traffic

abwood
Level 1
Level 1

‎06-18-2003 08:50 PM - edited ‎03-09-2019 03:44 AM

When I snoop the sniffing interface on one of my sensors, I see the following:

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 326 bytes

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> * ETHER Type=8100 (Unknown), size = 406 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes

? -> * ETHER Type=8100 (Unknown), size = 326 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 406 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> * ETHER Type=9000 (Loopback), size = 60 bytes

The sensor appears to be functioning correctly and has set off some alarms. I am just curious why the traffic looks like that. Is this a problem with the way the port is configured? Is the sensor able to understand this traffic?

By the way, this is a 4235 running 3.1(3)S42.

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎06-18-2003 09:17 PM

If I remember corectly, the sensor is seeing Dot1q encapsulated traffic from a trunk port of the switch.

Packetd is built to handle the dot1q encapsulated packets, but snoop was never coded to handle that packet format so you get the "Unknown" packet type.

Customers Also Viewed These Support Documents