Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

What traffic should I see on a switched network?

I have had a question from our Linux Admin about him seeing traffic not destined for his server passing the NIC on his server and he has concerns.

He believes that as it was a switched network his server should only be seeing traffic destined for itself.

This is not a major issue but has got me thinking.

From my knowledge I know that the server will see all broadcast / ARP / STP traffic within it's vlan.

The dump he has provided from nmap on the server with a filter for broadcast shows other converstaions that he does not believe should be there. From my knowledge this appears to be ack packets mainly and no data.

Can anyone provdide any information to make this issue clearer?

What traffic should be seen on the NIC port of a server in a vlan - how can this be reduced - access list on the port? Create smaller vlans?

For information the building this server is in is in one big vlan with about 250 nodes, the server is plugged into a 3750 stack of 6 switches.

NMAP dump below

root@SERVER1 ~]# tcpdump not ip broadcast and not ether broadcast and not host

tcpdump: verbose output  suppressed, use -v or -vv for full protocol decode

listening on eth0,  link-type EN10MB (Ethernet), capture size 96 bytes

17:37:23.000802 802.1d  config 8001.00:1b:8f:62:f9:00.8116 root 8001.00:12:da:df:ac:00 pathcost 19 age 2  max 20 hello 2 fdelay 15

17:37:23.275362 IP  lstavs001.sabams > jthdsk3066.: S  3509041410:3509041410(0) win 65535 <mss  1460,nop,nop,sackOK>

17:37:23.277007 IP  lstavs001.dicom-iscl > jthdsk3055.43130: S  1451384428:1451384428(0) win 65535 <mss  1460,nop,nop,sackOK>

17:37:23.384040 IP  lstavs001.dicom-tls > jthdsk1072.43130: S 2181582281:2181582281(0)  win 65535 <mss 1460,nop,nop,sackOK>


17:37:23.710285 IP  lstavs001 > jthdsk1185.43130: S  1681256111:1681256111(0) win 65535 <mss  1460,nop,nop,sackOK>

17:37:24.150295 IP  lstavs001.> jthdsk0040.43130: S  3866302647:3866302647(0) win 65535 <mss  1460,nop,nop,sackOK>

17:37:24.998863  00:1e:f6:fa:41:88 (oui Unknown) > 01:00:0c:cc:cc:cc (oui Unknown) SNAP  Unnumbered, ui, Flags [Command], length 46

17:37:24.998955  00:1e:f6:fa:41:88 (oui Unknown) > 01:00:0c:00:00:00 (oui Unknown) SNAP  Unnumbered, ui, Flags [Command], length 76

17:37:24.999919 802.1d  config 8001.00:1b:8f:62:f9:00.8116 root 8001.00:12:da:df:ac:00 pathcost 19 age 2  max 20 hello 2 fdelay 15

17:37:25.525759 IP  lstavs001.> jthdsk1105.43130: S  406757176:406757176(0) win 65535 <mss  1460,nop,nop,sackOK>

17:37:28.194629 IP > jthdsk1061.43130: S 879932432:879932432(0)  win 65535 <mss 1460,nop,nop,sackOK>

This is not a major problem but he sees it as a security issue, I would just like to provide an intelligent answer!



Cisco Employee

Re: What traffic should I see on a switched network?


For the sake of simplicity, let's not talk about VLANs and assume that the entire switch is placed in a single VLAN.

A switch will flood all multicast and broadcast frames as well as unicast frames with unknown destination through all ports (except the incoming port). It is therefore normal to see frames that are not destined to a particular station.

An asymmetrical routing can result in flooding in a switched network: if a route from A to B is different than the route from B to A, switches on each particular route see only an unidirectional flow and cannot determine the destination MAC address, as the flow in the opposite direction takes a different path. As a result, the frames of both these flows may be flooded through other ports. This option should be investigated in your network.

Also, the time needed for a switch to store newly learned MAC address into its MAC address table is longer that the time to switch a frame. It is normal to see several frames of a bidirectional conversation before the switch stores the MAC addresses into its hardware tables and starts using them.

It has to be stressed that a switch is not primarily a security device, although - as a result of its operation - it increases the security somewhat. It must be expected that under circumstances, frames will be flooded to all ports because it is a normal part of a switch operation. Your Linux Admin should be aware that it is not appropriate to expect that a switch will provide perfect flow isolation. The only way to really secure network communication is to use proven cryptographical methods.

Best regards,


CreatePlease to create content