Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Ethereal capturing a source and destination that is not its ip

Got a question in regards to ethereal capturing a source and destination set of ip addresses that do not include the ip of the device that I capture on. Is this due to promiscuous mode?

Say the capture nic card is 10.0.0.1 I am getting in some of the capture lines a source of say 10.1.2.1 with destination 10.1.2.2. Ie it does not include the pc that is running ethereal doing the capture. (i am not running rspan either).

  • IP Telephony
3 REPLIES
Silver

Re: Ethereal capturing a source and destination that is not its

Let's just clear up few things. RSPAN is only used when there is a requirement to sniff a network port on a switch that is not directly connected to the same switch as the sniffer. So the first qtn, is your Ethereal host connected to the same switch?

Secondly, if you have set a filter in Ethereal stipulating the source/destination IP pair of addresses, then the capture should only show those packets which match exactly the src/dst IP's which you have set.

Any PVLAN configuration associated with port which you are sniffing, or the port connected to Ethereal will undoubtedly throw up unexpected results, and in some cases nothing at all.

"PVLAN ports cannot be trunk ports, cannot channel, cannot have dynamic VLAN membership, and cannot be a Switched Port Analyzer (SPAN) destination."

<http://www.cisco.com/warp/public/473/63.html>

hth,

Ajaz

New Member

Re: Ethereal capturing a source and destination that is not its

Ethereal (which has been renamed to Wireshark) captures in promiscuous mode by default, meaning that it will bring in all traffic that hits the NIC. Something you might want to look into is why traffic for 10.1.2.1 and 10.1.2.2 are hitting your port. Assuming you're on a switch (and not a hub), AND that you don't have SPAN configured, you shouldn't see unicast traffic between other ports (in theory, at least).

You should really think about upgrading to Wireshark, BTW. We changed the name from Ethereal in May 2006: http://www.wireshark.org/ Several major security bugs have been fixed since then.

New Member

Re: Ethereal capturing a source and destination that is not its

Thanks for your replies, it looks like it is traffic from a server destined for a host in which the mac-address has timed out on the switch.

165
Views
5
Helpful
3
Replies