Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
5
Helpful
3
Replies

Ethereal capturing a source and destination that is not its ip

evan2five
Level 1
Level 1

‎07-19-2007 10:18 PM - edited ‎03-14-2019 10:41 PM

Got a question in regards to ethereal capturing a source and destination set of ip addresses that do not include the ip of the device that I capture on. Is this due to promiscuous mode?

Say the capture nic card is 10.0.0.1 I am getting in some of the capture lines a source of say 10.1.2.1 with destination 10.1.2.2. Ie it does not include the pc that is running ethereal doing the capture. (i am not running rspan either).

Labels:
0 Helpful
3 Replies 3

AJAZ NAWAZ
Level 5
Level 5

‎07-19-2007 11:06 PM

Let's just clear up few things. RSPAN is only used when there is a requirement to sniff a network port on a switch that is not directly connected to the same switch as the sniffer. So the first qtn, is your Ethereal host connected to the same switch?

Secondly, if you have set a filter in Ethereal stipulating the source/destination IP pair of addresses, then the capture should only show those packets which match exactly the src/dst IP's which you have set.

Any PVLAN configuration associated with port which you are sniffing, or the port connected to Ethereal will undoubtedly throw up unexpected results, and in some cases nothing at all.

"PVLAN ports cannot be trunk ports, cannot channel, cannot have dynamic VLAN membership, and cannot be a Switched Port Analyzer (SPAN) destination."

<http://www.cisco.com/warp/public/473/63.html>

hth,

Ajaz

0 Helpful

geraldcombs
Level 1
Level 1

‎07-21-2007 12:49 PM

Ethereal (which has been renamed to Wireshark) captures in promiscuous mode by default, meaning that it will bring in all traffic that hits the NIC. Something you might want to look into is why traffic for 10.1.2.1 and 10.1.2.2 are hitting your port. Assuming you're on a switch (and not a hub), AND that you don't have SPAN configured, you shouldn't see unicast traffic between other ports (in theory, at least).

You should really think about upgrading to Wireshark, BTW. We changed the name from Ethereal in May 2006: http://www.wireshark.org/ Several major security bugs have been fixed since then.

evan2five
Level 1
Level 1
In response to geraldcombs

‎07-24-2007 06:26 PM

Thanks for your replies, it looks like it is traffic from a server destined for a host in which the mac-address has timed out on the switch.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents