1

I did a tcpdump capture, and when inspecting the reults, I saw some data I couldn't understand.

Say the hostname of the box I did the capture on was box1.blah

I saw traffic like this:

box2.blah:45134 > box3.blah:7802

Now, I know what that traffic is, it's traffic used for the application failover function of HP NNMi, box2 being my primary NNMi box and box3 being my failover box.

I understand that the box1 NIC goes into promiscuous mode when tcpdump is started, but I thought you could only see traffic not addressed to you when using old school hubs, wireless, broadcast or multicast traffic ?

None of these situations are true.

So what's going on?

bigyin
  • 11
  • 1
  • Did you try the -e option to see the MAC Adresses involved? That might give a clue why this happens - maybe add a `tcpdump -e` output to your question for us. – xpac Feb 26 '16 at 13:06
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could provide and accept your own answer. – Ron Maupin Aug 13 '17 at 18:00

2 Answers2

1

Look at the actual hardware destination of the packet. Just because the IP was not a broadcast doesn't mean the hardware destination can't be. Functions like failover often operate via broadcast traffic (sent to ff:ff:ff:ff:ff:ff) which will be seen by every port on the subnet. If the destination is a mac address that is not your PC, and the switch should have learned it (i.e. that host is active) then the packet should not have been sent to you for the reason you stated. If you have the capture file, open it with a tool like Wireshark and you will be able to drill into a lot of detail.

Jeff Meden
  • 826
  • 7
  • 7
  • 1
    I think my guess would be that the failover target is idle, so it's unknown unicast flooding that is going on. – richardb Feb 26 '16 at 18:59
1

You are probably looking at what is referred to as Unicast Flooding.

When a switch receives a frame for which it doesn't know the destination MAC address, it floods it out all ports. There is more detail about that process and how a Switch works in this thread: How does a switch learn a MAC address not in its lookup table?

This is normal behavior in Ethernet networks. Nothing to be concerned about.

Reasons for concern would be if you see this consistently and constantly, and the 'box3' mac-address is connected and sending frames regularly.

Community
  • 1
Eddie
  • 14,808
  • 6
  • 42
  • 82