Switch acting as hub. Wireshark sees all the tcp traffic

Unanswered Question
Feb 14th, 2010

Hi all,


When I connected the wireshark to the normal L2 access port in vlan 2 and capture the packets. I am noticing lots of tcp traffic  between different ports in my wireshark . I checked the core switch cisco 4507R but could not seen any span configured . Most of the ports are trunk ports and other unused ports are shutdown.My wireshark connected port is access port in vlan 2.


Could anyone guide me the work around.


swami

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Sun, 02/14/2010 - 02:50

Hi all,


When I connected the wireshark to the normal L2 access port in vlan 2 and capture the packets. I am noticing lots of tcp traffic  between different ports in my wireshark . I checked the core switch cisco 4507R but could not seen any span configured . Most of the ports are trunk ports and other unused ports are shutdown.My wireshark connected port is access port in vlan 2.


Could anyone guide me the work around.


swami



Hi Swami,


Wireshark is enbled in system which is connected to switch port so what ever traffic coming in or out in that particular port will captured in your desktop which is running wireshark, If you want to configure or want to sniff particular port then configure span port in switch and configure wireshark pc as destination port in span configuration, hope that clear !!


If helpful do rate the post


Ganesh.H

Giuseppe Larosa Sun, 02/14/2010 - 05:12

Hello Swami,

check with

sh monitor session all


if no SPAN is on the system your device has its CAM table overloaded (MAC flooding attack)


check this with:

sh mac address-table dyn count


or

sh mac-address-table dyn count


look for the final lines that tell how many MAC addresses are in the CAM table and gives you the size of the CAM table.


Hope to help

Giuseppe

Kevin Dorrell Sun, 02/14/2010 - 07:35

I presume it is only VLAN2 traffic you are seeing.  If you are seeing traffic that doesn't belong in VLAN 2, then something is seriously wrong, and we need to look deeper.


If you have connected your wireshark to an acess port, then you should expect to see some traffic, even if the wireshark port is not specifically concerned with it.  To be precise, you will see:


  • All the broadcasts on the VLAN
  • All the multicasts on the VLAN, unless IGMP snooping or CGMP is enabled.  Usually, IGMP snooping is enabled by default.  BTW, you would also see all the multicasts if the port happens to be declared as an mrouter port.
  • Some unicast flooded traffic, especially if the aging time is short.  In my network, I expect the unicast traffic to be not much more than 1% of the background traffic, but it can be much higher, especially if you have asymmetric forwarding in the VLAN for some reason.  (NLB, HSRP, etc.)
  • If the CAM has overflowed, you will see all the traffic in the VLAN, as Giuseppe pointed out.  But this usually does not happen unless someone is playing with hacking tools.
  • If the VLAN is misconfigured as an RSPAN VLAN, then you will see all the traffic.  Declaring the VLAN as RSPAN disables MAC learning.


So, to understand what is going on, I really need to get a feel for what proportion of this traffic is broadcast, how much is multicast, and how much is flooded unicast.


Kevin Dorrell

Luxembourg

Actions

This Discussion