Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Strange snoop traffic

When I snoop the sniffing interface on one of my sensors, I see the following:

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 326 bytes

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> * ETHER Type=8100 (Unknown), size = 406 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> (multicast) ETHER Type=0000 (LLC/802.3), size = 52 bytes

? -> * ETHER Type=8100 (Unknown), size = 326 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 130 bytes

? -> * ETHER Type=8100 (Unknown), size = 406 bytes

? -> * ETHER Type=8100 (Unknown), size = 70 bytes

? -> * ETHER Type=9000 (Loopback), size = 60 bytes

The sensor appears to be functioning correctly and has set off some alarms. I am just curious why the traffic looks like that. Is this a problem with the way the port is configured? Is the sensor able to understand this traffic?

By the way, this is a 4235 running 3.1(3)S42.

Thanks in advance.

1 REPLY
Cisco Employee

Re: Strange snoop traffic

If I remember corectly, the sensor is seeing Dot1q encapsulated traffic from a trunk port of the switch.

Packetd is built to handle the dot1q encapsulated packets, but snoop was never coded to handle that packet format so you get the "Unknown" packet type.

285
Views
5
Helpful
1
Replies
CreatePlease to create content