On a Cisco switched network, why am I seeing

Unanswered Question
Jan 25th, 2008
User Badges:

I have a all Cisco switched network. I have a sniffer just watching broadcast and multicast traffic. This sniffer is not seeing all the traffic on the network, as there are no span ports. On this sniffer I see Pings. I dont understand how I can see pings from one server to another from a sniffer on a seperate switch on the network. And its not the pings so much, as just echo replies from server. I dont think I should see pings on a switched network, unless it was something pinging the sniffer box specifically.

Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Sat, 01/26/2008 - 19:33
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

It seems the mac-address to the destination aged out on the switch so it's flooding the packets to every single switchport.

How are you mac-address-aging timeout and arp timeout set up?

You should have equal timers for both or the arp timeout with a slightly lower value.

mac address-table aging-time





johnvojtech Mon, 01/28/2008 - 07:45
User Badges:

It turns out it was the NLB. Is there a setting or a configruation that I need to set? Or just let it go as background noise?

Kevin Dorrell Sun, 01/27/2008 - 01:54
User Badges:
  • Green, 3000 points or more

Further to Edison's posting: as Edison points out, you are seeing these unicast packets because the switch has aged out the MAC forwarding table entry corrsponding to the destination of those packets. If you have the default aging values, this means that this switch has not seen any packets from that address during the past 5 minutes, and therefore has no idea where to send those packets when that MAC address is the destination.

It is quite normal for a network to have a certain proportion of flooded unicasts for just that reason. In my experience, you might expect, say, 1% of the background noise to be flooded unicasts.

If the unicasts are more persistent, then it is worth investigating. This sort of situation can arise if the host in question is sourcing packets from one MAC address, but handing out ARP responses that indicate another. These are corner cases, but they can happen, and they are quite fun to investigate. It can happen, for example, if you have asymetric routing due to sharing your VLANs between two routers as an HSRP pair. It can happen with certain server NLB configurations. In certain load balancing schemes, the servers hand out a multicast address in an ARP response.

So, there are many ways you can get to see someone else's traffic on a port of a switched network. If around 1% of the packets you see are flooded unicasts, then that is quite normal. If you have much more than that, then I would need to know a lot more about the nature of the traffic and the topology of your network before I could say why it is happening.

Does that make sense?

Kevin Dorrell



This Discussion