strange traffic on my network card

Unanswered Question
Jul 1st, 2008

Hi all, I manage a big network. Using Wireshark Inoted that I receive on my network card packets with a destination address not directed to my pc. In my network we have a lot of virtual servers managed with vmware. Could it be the reason of this traffic? Has anyone experience about this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
dhananjoy chowdhury Tue, 07/01/2008 - 03:23


If you are connected to a Cisco switch and no mirroring is configured then you should only recieve braoadcast and sometimes multicast packets on your PC's Network card.

ralphcarter Tue, 07/01/2008 - 06:55

You are seeing broadcast/multicast traffic on your vlan. This is normal. You wont see any unicast traffic between other devices unless you run a SPAN on the source/destination.

Read up on Layer 2 switching and it will makes things a lot more clear as to how the switch and its ports operate.

michael.leblanc Tue, 07/01/2008 - 10:44

You might want to be more specific.

Are you referring to destination MAC addresses, destination IP addresses, both?

An example would be beneficial.

andrew.butterworth Tue, 07/01/2008 - 11:35

It sounds like unicast flooding. This is normal on a network where you have asymetric paths and/or multiple switches in the same Layer-2 domain. Without redesigning the network it is impossible to get rid of, however it can be 'tuned' by changing the ARP & CAM timers to be similar.

I think this is one of the biggest reasons to deploy a structured Campus network, as with a properly structured LAN with VLAN's not spanning any Layer-2 switches you can completely eliminate this behaviour.



gdspa Tue, 07/01/2008 - 23:50

Thanks for your answer. Yes, I meant unicast packets I receive but I'm not the right destination. I'll read document you indicated.

andrew.butterworth Wed, 07/02/2008 - 00:33

This is very common in campus networks. What happens is a host or a Layer-3 device has a valid ARP entry however the Layer-2 device that is forwarding the traffic does not have a CAM entry for the MAC so floods it to all ports in the VLAN (except the one it was received on).

In Layer-3 environments with asymetric paths (i.e. two distribution switches running HSRP down to an access-layer) both routers will legitimately forward traffic directly to hosts on a VLAN. If one of the distribution switches has an ARP entry but no coresponding CAM entry he will flood it to all ports in the VLAN. If only one uplink/downlink is configured for this then it's fine as long as there is only one access switch in the VLAN as the flooding is contained to one link, the access switch has the MAC device that the traffic is destined for and will have a CAM entry. If you have access switches cascaded then the flooding can continue in the access-layer until it reaches the switch where the host is.

Tuning the CAM & ARP timers to be similar in all Layer-2 & Layer-3 devices within the same broadcast domain can improve things, however the only solution to eliminating it is redesigning the network. Layer-3 to the edge is the most efficient, however a Layer-2 edge and a Layer-3 Distribution are good as long as you don't span VLANs between access switches.



hobbe Wed, 07/02/2008 - 01:34

if the strange traffic is fx UDP then it could be that the traffic you are seeing is traffic for a server that does not respond. fx syslog and such.

if the server is quiet the switches does not know where the macaddress is since it have timed out from tha switches CAM table. The switches then sends the packets all over the broadcast zone.

I do not know if this helps.

but it might be something like that.


This Discussion