1

I did a tcpdump capture, and when inspecting the reults, I saw some data I couldn't understand.

Say the hostname of the box I did the capture on was box1.blah

I saw traffic like this:

box2.blah:45134 > box3.blah:7802

Now, I know what that traffic is, it's traffic used for the application failover function of HP NNMi, box2 being my primary NNMi box and box3 being my failover box.

I understand that the box1 NIC goes into promiscuous mode when tcpdump is started, but I thought you could only see traffic not addressed to you when using old school hubs, wireless, broadcast or multicast traffic ?

None of these situations are true.

So what's going on?

bigyin
  • 11
  • 1

2 Answers2

1

Look at the actual hardware destination of the packet. Just because the IP was not a broadcast doesn't mean the hardware destination can't be. Functions like failover often operate via broadcast traffic (sent to ff:ff:ff:ff:ff:ff) which will be seen by every port on the subnet. If the destination is a mac address that is not your PC, and the switch should have learned it (i.e. that host is active) then the packet should not have been sent to you for the reason you stated. If you have the capture file, open it with a tool like Wireshark and you will be able to drill into a lot of detail.

Jeff Meden
  • 846
  • 7
  • 7
1

You are probably looking at what is referred to as Unicast Flooding.

When a switch receives a frame for which it doesn't know the destination MAC address, it floods it out all ports. There is more detail about that process and how a Switch works in this thread: How does a switch learn a MAC address not in its lookup table?

This is normal behavior in Ethernet networks. Nothing to be concerned about.

Reasons for concern would be if you see this consistently and constantly, and the 'box3' mac-address is connected and sending frames regularly.

Community
  • 1
Eddie
  • 15,286
  • 6
  • 46
  • 84