Seeing packets not addressed to me on a switch

Unanswered Question
Nov 23rd, 2007


I am seeing a strange traffic pattern when sniffing a segment of my network.

To explain, at the network core is a 4500 Cat switch with a number of vlans, the vlan in question is configured as follows

interface Vlan102

description **First Floor**

ip address secondary

ip address secondary

ip address secondary

ip address

Connected to the 4500 is a Cat2960, which is connected via a dot1q trunk. All VLAN's on the 4500 are trunked to this switch.

All ports on this switch are access ports in vlan 102.

I connect my laptop to one of the switch ports on the 2960, my laptops IP address is

When running Ethereal and capturing packets, I can see a stream of traffic from a host with IP address of (this subnet lies in another building connected via a WAN link) to a host with address of The stream is a unicast UDP stream to port 8080.

I can't understand why I should see this from my host, there is also no port mirroring configured.

I've connected to other ports on this switch and other switches with ports in the same VLAN with the same result.

Any ideas ?

Please help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
voiper_99 Fri, 11/23/2007 - 16:02


Just to make sure I understand correctly, you have not issued any SPAN commands and you are using Ethereal to sniff packets on your NIC card only?

If this is correct, then I too cannot understand why you are able to see these packets if they have a source and destination address. The only way it should be possible for you to see those packets would be if the destination address was the broadcast address of your subnet.

jarredtaylor Sat, 11/24/2007 - 06:54


Another way this is possible is if the CAM table has timed out for MAC associated with In that case the switches will flood the traffic destined for that MAC to all ports in vlan 102. I've seen this before with UDP traffic (specifically streaming media or replication traffic).

Since UDP is 'connectionless' and has no type of acknowledgments built into the protocol you can run into situations, depending on the application, where the receiver never has to send a single packet (frame in this case) after making the initial request for data. Assuming the receiver is not generating any other network traffic, this system's MAC address will age out of the switch CAM tables in 5 minutes. At that point all subsequent traffic will be flooded.



andrew.butterworth Sat, 11/24/2007 - 10:39

What you are seeing in Unicast Flooding. This is very common in unstructured Campus Networks and is a result of spanning the same VLANs over multiple access switches. You can minimise the effect by tuning ARP & CAM timers but you can never eliminate it without properly structuring your network and NOT spanning VLANs between access switches.



This Discussion