Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Monitoring a switched port with no span but seeing too much traffic

I connected a sbiffer to a switched port on a c3548. SPAN was not turned on. As I expected, I see alot of broadcast traffic.

However, I am also seeing alot of source/destination traffic. Example would be an ARP reply to a broadcast. WHY? I though the switch would have discovered the source port and I would not see it.

I am running 12.0(5)WC5.


Re: Monitoring a switched port with no span but seeing too much

Not looking to start a panic, but if you do a capture of those packets do you see the IP addresses for those ARPs incrementing sequentially? If so you may have one of those nasty worms that have been going around the Internet, Blaster or Nachi. The ARPs might be happening because of pings that these worms do, looking for other hosts to infect.

Another thing to do is check if you're seeing lots of pings from certain IP's on your network(s). And are they ping-scanning sequentially? You may have to set up a SPAN port to capture this stuff; ideally, on a port that is acting as the uplink to a Layer 3 device, so that you can see everything that's going through that uplink. (Even better, you may want to SPAN as close to the Layer 3 interfaces as you can get.)

If the switch knows where the MAC is, it won't broadcast for it because it already knows where it lives. If a Layer 3 device has already resolved valid IP address to MAC address, then it will have no reason to ARP repeatedly for that information. That stuff stays cached in a Cisco router's ARP tables for something like 4 hours by default, I think.

One of my customers had a Nachi infection on their network. A handful of machines running hundreds of pings per second each can saturate a L3 device, even a switch (theirs was a 3Com CoreBuilder 3500). We couldn't telnet it or route through it, had to console cable in and set their equivalent of a SPAN port to monitor each VLAN and identify the offending machines. A Cisco switch that can do ACLs is on order to replace the 3Com one (which can do ACL equivalents too, but it takes much longer to code them into the box; the Cisco switch is much easier).

Besides pings, some of the other identifying characteristics we saw was a lot of connection attempts looking for TCP port 135 (which Microsoft uses for Remote Procedure Calls or RPCs), but not getting replies.

Hope this helps.

New Member

Re: Monitoring a switched port with no span but seeing too much

I did find a sweep going on.

But I am still confused as to why I see the replies to ARP broacasts when I am not spanning any ports.

The replies at MAC to MAC and I don't think they should show up on my port.


Re: Monitoring a switched port with no span but seeing too much

Look in the mac-address table and see if those macs are there.

CreatePlease login to create content