Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
1
Replies

Monitoring Broadcast Traffic - Seeing Point to Point Traffic?

stownsend
Level 2
Level 2

‎04-05-2016 07:34 AM

I have a PC with 2 NICs in it.  One has all of the normal Stuff, the 2nd NIC has nothing checked in its Properties. 

2nd NIC is connected to an SG300-52 Switch setup as General Access, untagged VLAN 101. No RMON/Port Mirroring or anything special. Only looking for Broadcast traffic. 

Wireshark is setup to only monitor traffic on the 2nd NIC. 

Wireshark for the most part is capturing all of the Broadcast Traffic. Though In the WireShark Buffer and Conversation log I can see other Point to point traffic from Machines that are connected to the same switch, though not the Machine I'm on.  They only account for a couple % of the Packet count and only maybe 8 of the few thousand conversations logged. 

BackupServer<--> Mail Server

BackupServer<--> SQL Server

RandomPC <--> MS Win Update

ands a few others. 

When I look at the Packets, they have a like of TCP DUP ACKs, Retransmissions, and several other things.   Even though there seem to be issues with the Packets, why is my Monitoring NIC that's only looking at the Broadcast stuff seeing this other traffic?

Labels:
0 Helpful
1 Reply 1

chrihussey
VIP Alumni
VIP Alumni

‎04-19-2016 04:04 AM

Switches form CAM tables which identify which MAC addresses are associated with which switch ports. CAM table entries (like ARP tables) can time out and need to be re-learned. When a switch needs to forward a packet to an unknown MAC address on a VLAN, it will broadcast it out all ports until can update it's CAM table appropriately.

If you're seeing just a few packets from these conversations and not the full exchange this is more than likely the cause and shouldn't be a concern.

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents