Cisco Support Community
Community Member

Wireshark capture all packets on segment

We have windows servers with Wireshark version 1.41 setup in promiscuous mode, and connected to a CISCO 6500 switch.

The ports are setup as switchports with a standard confguration.

When we bring up the captuer its capturing all packets even to other hosts  - can anyone explain this?

Normally I would only see the broadcast traffic and traffic to /from my own host with wireshark on it.

is this some new feature which tells my switch to send all the packets or some issue with the siwtch?

Community Member

Wireshark capture all packets on segment

Do you have a session configured to monitor a port?  A command that says:

"monitor session 1 source ...."

"monitor session 1 destination ...."

Community Member

Wireshark capture all packets on segment

No there are not any span sessions setup.

But its picking up all packets off the switch.

Unicast packets which are not destined to teh host running wireshark.

I cant figure it out unless

     1. some new version of wireshark can tell teh switch to send it all packets.

     2. the switch is hosed.

i dont see anything abnormal on the switch with teh cam table, arp cache

any ideas would be helpful


Community Member

Wireshark capture all packets on segment

could this be caused by unicast flooding on the switch maybe>?

Hall of Fame Super Gold

Re: Wireshark capture all packets on segment

It sounds like something is causing unicast flooding on your switch. There are several things that can cause this including overflow of the cam, or assymetric traffic flows. In assymetric traffic flows frequently there are two switches on a VLAN. A host is connected to switch A and sends its traffic out through its connection to switch A. The traffic gets to the destination and the response comes back through switch B. Since the outbound traffic from the host is going through switch A its cam knows the mac address. But since frames from the host are not going through switch B its cam does not learn the mac. And therefore when the response traffic comes through switch B does not have a mac address associated with the IP address and will flood the packet to all ports in the VLAN. It is my guess that this is what is happening in your situation.



[edit] you asked the question about unicast flooding while I was typing my answer.

And yes I believe that your situation may well be due to unicast flooding.

CreatePlease to create content