Solved: Re: picking up unicast traffic from a sniffer, but im on a switc

johnsonjb · ‎07-27-2007

I am seeing(not a lot)a conversation from, a node om my vlan talking to another node on a seperate vlan. We have turned off all possible port mirroring/spanning. It was discovered by our CSO and I was able to verify this by running a sniff on my port and I saw the asme traffic.... anyone have any ideas or suggestions... I looked through the packet in Wireshark and did not see that this was a broadcast; although i do see the standard eigrp, cdp etc......

Richard Burts · ‎07-28-2007

Jeff

The symptom of seeing unicast traffic on a port that is not part of the unicast traffic flow can happen in a condition frequently referred to as unicast flooding. Unicast flooding generally happens when the destination MAC address is not found in the CAM of the source switch and there are several things that can lead to unicast flooding:

- the CAM might be full and the switch can not add the destination MAC to the CAM, so it floods.

- the CAM might have learned the MAC, timed out the MAC, and has not yet seen traffic to re-learn the MAC. This sometimes happens when there is assymetric traffic (traffic to the station you are seeing is sent through one upstream switch, and response traffic is being sent back through another switch - quite possible if the end station is connected to a VLAN with 2 switches where traffic arrives from switch A and the response is sent to the default gateway/HSRP address which is currently switch B. A frequent fix for this is to configure the ARP timeout (4 hours by default) to be the same as the CAM aging timer.

If the problem is still happening, I would suggest that you find the MAC of the other end station and do show cam dynamic to see if you can find the destination MAC address in the packet. My guess is that you will not find it.

HTH

Rick

HTH

Rick

View solution in original post

ankbhasi · ‎07-27-2007

Hi Friend,

Can you attach wireshark capture? Also is that traffic eigrp traffic? If yes then it is very obvious to see those traffic as they are destined to multicast address which is not learned in switch cam table so switch will treat them as broadcast.

If it is not multicast traffic and neither broadcast traffic can you attach wireshark capture with your post?

Regards,

Ankur

johnsonjb · ‎07-27-2007

Thanks Ankur

unfortunately I am not permited to send this type of info, but It is not eigrp it is telnet traffic(source port 23), from one host on my vlan to another host seperate vlan. Is there a setting in the 6509 that I could look at, or change. We have a etherchannel trunked connection goign to our main 6513 core switch, and then from there to another switch in a seperate closet for another group. This other group though is on the same vlan that I am on.

Richard Burts · ‎07-28-2007

Jeff

The symptom of seeing unicast traffic on a port that is not part of the unicast traffic flow can happen in a condition frequently referred to as unicast flooding. Unicast flooding generally happens when the destination MAC address is not found in the CAM of the source switch and there are several things that can lead to unicast flooding:

- the CAM might be full and the switch can not add the destination MAC to the CAM, so it floods.

- the CAM might have learned the MAC, timed out the MAC, and has not yet seen traffic to re-learn the MAC. This sometimes happens when there is assymetric traffic (traffic to the station you are seeing is sent through one upstream switch, and response traffic is being sent back through another switch - quite possible if the end station is connected to a VLAN with 2 switches where traffic arrives from switch A and the response is sent to the default gateway/HSRP address which is currently switch B. A frequent fix for this is to configure the ARP timeout (4 hours by default) to be the same as the CAM aging timer.

If the problem is still happening, I would suggest that you find the MAC of the other end station and do show cam dynamic to see if you can find the destination MAC address in the packet. My guess is that you will not find it.

HTH

Rick

HTH

Rick

johnsonjb · ‎07-31-2007

Thanks again Rick

you steered me in the right direction once again.

Thanks

Jeff

Richard Burts · ‎07-31-2007

Jeff

I am glad that my suggestion was able to guide you to a resolution of your issue. Thank you for using the rating system to indicate that your issue was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read something that resolved that issue. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

c · ‎07-28-2007

One option - identify the port where the destination host is located. On that switch port set static mac of the pc with a command similar to the following -

mac address-table static 0004.5600.67ab vlan 1 interface fastethernet0/2

where fa0/2 is the port where the pc is connected and 0004.5600.67ab is the mac of the pc.

After this see if the unicast traffic is still seen on other ports?

jbrunner007 · ‎07-31-2007

Tell your CSO to get his CCIE security... he should know this stuff...

I can't believe "troublemakers" like this raise cain and the engineers have to come to a message board for answers...

LOL

Mr. Belfort, Sir...

"my name is the Plague"

picking up unicast traffic from a sniffer, but im on a switched network