Monitoring Broadcast Traffic - Seeing Point to Point Traffic?

stownsend · ‎04-05-2016

I have a PC with 2 NICs in it. One has all of the normal Stuff, the 2nd NIC has nothing checked in its Properties.

2nd NIC is connected to an SG300-52 Switch setup as General Access, untagged VLAN 101. No RMON/Port Mirroring or anything special. Only looking for Broadcast traffic.

Wireshark is setup to only monitor traffic on the 2nd NIC.

Wireshark for the most part is capturing all of the Broadcast Traffic. Though In the WireShark Buffer and Conversation log I can see other Point to point traffic from Machines that are connected to the same switch, though not the Machine I'm on. They only account for a couple % of the Packet count and only maybe 8 of the few thousand conversations logged.

BackupServer<--> Mail Server

BackupServer<--> SQL Server

RandomPC <--> MS Win Update

ands a few others.

When I look at the Packets, they have a like of TCP DUP ACKs, Retransmissions, and several other things. Even though there seem to be issues with the Packets, why is my Monitoring NIC that's only looking at the Broadcast stuff seeing this other traffic?

chrihussey · ‎04-19-2016

Switches form CAM tables which identify which MAC addresses are associated with which switch ports. CAM table entries (like ARP tables) can time out and need to be re-learned. When a switch needs to forward a packet to an unknown MAC address on a VLAN, it will broadcast it out all ports until can update it's CAM table appropriately.

If you're seeing just a few packets from these conversations and not the full exchange this is more than likely the cause and shouldn't be a concern.

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html