Span session more traffic than expected

david-flores · ‎10-13-2011

I have setup a span session on my 6500 with the following commands:

monitor session 1 source interface g3/23

monitor session 1 des interface g3/24

I then used Wireshark to capture data on g3/24, and expected to only see traffic for the server on g3/23, however, I noticed there was more than just that server traffic, and broadcast traffic, but traffic for other servers destined to other locations. Is this behavior normal? I thought I would just see traffic both in and out of g3/23.

thanks

cadet alain · ‎10-13-2011

Hi,

these may be unknown unicast floods which happen every time the switch hasn't got the dst mac into its cam table anymore because it timed out but once the host replies to traffic then it stops.the default timeout is 5 minutes.

these also could be multicast which are flooded like broadcasts and unknown unicasts.

Regards.

Alain.

Don't forget to rate helpful posts.

david-flores · ‎10-13-2011

In reviewing the file again, the other traffic appears to be dns, http, and email based traffic. It does not seem right that I see all this other traffic when I specifically configured the switch to only capture on a single port with one server connected.

cadet alain · ‎10-13-2011

hi,

are the other devices you see traffic from only sending a few packets? then it may be the unknown unicast flooding I talked about just before.

Cn you set the mac address aging time higher and verify if you see this traffic again.

Regards.

Alain.

Don't forget to rate helpful posts.