Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1945
Views
0
Helpful
3
Replies

Switch acting as hub. Wireshark sees all the tcp traffic

arumugasamy
Level 1
Level 1

‎02-14-2010 02:46 AM - edited ‎03-06-2019 09:42 AM

Hi all,

When I connected the wireshark to the normal L2 access port in vlan 2 and capture the packets. I am noticing lots of tcp traffic  between different ports in my wireshark . I checked the core switch cisco 4507R but could not seen any span configured . Most of the ports are trunk ports and other unused ports are shutdown.My wireshark connected port is access port in vlan 2.

Could anyone guide me the work around.

swami

Labels:
0 Helpful
3 Replies 3

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-14-2010 02:50 AM 

Hi all,
When
I connected the wireshark to the normal L2 access port in vlan 2 and
capture the packets. I am noticing lots of tcp traffic  between
different ports in my wireshark . I checked the core switch cisco 4507R
but could not seen any span configured . Most of the ports are trunk
ports and other unused ports are shutdown.My wireshark connected port
is access port in vlan 2. 
Could anyone guide me the work around.
swami

Hi Swami,

Wireshark is enbled in system which is connected to switch port so what ever traffic coming in or out in that particular port will captured in your desktop which is running wireshark, If you want to configure or want to sniff particular port then configure span port in switch and configure wireshark pc as destination port in span configuration, hope that clear !!

If helpful do rate the post

Ganesh.H

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-14-2010 05:12 AM

Hello Swami,

check with

sh monitor session all

if no SPAN is on the system your device has its CAM table overloaded (MAC flooding attack)

check this with:

sh mac address-table dyn count

or

sh mac-address-table dyn count

look for the final lines that tell how many MAC addresses are in the CAM table and gives you the size of the CAM table.

Hope to help

Giuseppe

0 Helpful

Kevin Dorrell
Level 10
Level 10

‎02-14-2010 07:35 AM

I presume it is only VLAN2 traffic you are seeing.  If you are seeing traffic that doesn't belong in VLAN 2, then something is seriously wrong, and we need to look deeper.

If you have connected your wireshark to an acess port, then you should expect to see some traffic, even if the wireshark port is not specifically concerned with it.  To be precise, you will see:

  • All the broadcasts on the VLAN
  • All the multicasts on the VLAN, unless IGMP snooping or CGMP is enabled.  Usually, IGMP snooping is enabled by default.  BTW, you would also see all the multicasts if the port happens to be declared as an mrouter port.
  • Some unicast flooded traffic, especially if the aging time is short.  In my network, I expect the unicast traffic to be not much more than 1% of the background traffic, but it can be much higher, especially if you have asymmetric forwarding in the VLAN for some reason.  (NLB, HSRP, etc.)
  • If the CAM has overflowed, you will see all the traffic in the VLAN, as Giuseppe pointed out.  But this usually does not happen unless someone is playing with hacking tools.
  • If the VLAN is misconfigured as an RSPAN VLAN, then you will see all the traffic.  Declaring the VLAN as RSPAN disables MAC learning.

So, to understand what is going on, I really need to get a feel for what proportion of this traffic is broadcast, how much is multicast, and how much is flooded unicast.

Kevin Dorrell

Luxembourg

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card