In case of someone flooding your switch you can have hint regarding the
source of this flood. Depending of your switch's vlan management method
(a CAM per switch or a CAM per VLAN) the result of the flood is not the
same. In the case of a CAM / VLAN then the flood will just concern this
VLAN so you can more easily locate the source.
-----Message d'origine-----
De : ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] De la part de R. Benjamin
Kessler
Envoyé : lundi 3 novembre 2003 15:26
À : gilberto.lima@xxxxxxxxxxxxx; ethereal-users@xxxxxxxxxxxx
Objet : RE: [Ethereal-users] Traffic not expected on a switch port
There are a couple of reasons a switch will "flood" TCP traffic out -
generally they're not good...
1 - Someone is running dsniff - probably not likely since youre not
seeing all other traffic on the switch; you'd probably notice the
slowdown in traffic as well.
2 - Unknown MAC address and thus the switch is "flooding" the traffic -
also unlikely since there is an established TCP session, the steps
required to establish the session generally get the MAC address placed
into the switch's bridging table. I've seen UDP traffic exhibit this
behavior - e.g. a SYSLOG server that is just receiving traffic all day
but not sending anything back.
3 - Too many entries in the MAC table - again, like #1 but not because
of malicious intent; I've seen "really old" switches have this problem
on large, flat networks that have more devices than could be supported
by the small MAC table.
4 - Bug in software/hardware on the switch - generally more difficult to
track down and fix.
~~~~~~~~~~
R. Benjamin Kessler
Network Engineer
CCIE #8762, CISSP, CCSE
Kessler Consulting
Email: ben@xxxxxxxxxxxxxxxxxxxxx http://www.kesslerconsulting.com
Phone: 260-625-3273
-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of BUYCK Jacky
FTRD/DMI/CAE
Sent: Monday, November 03, 2003 3:24 AM
To: gilberto.lima@xxxxxxxxxxxxx; ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] Traffic not expected on a switch port
Hi all.
I've encounter the same kind of problem with Nortel Switch and we
wasn't able to explain it for the moment.
Nortel have admit a problem in old version of the software of the BPS
2000 but this is the only think we have.
-----Message d'origine-----
De : gilberto.lima@xxxxxxxxxxxxx [mailto:gilberto.lima@xxxxxxxxxxxxx]
Envoyé : vendredi 31 octobre 2003 14:18
À : ethereal-users@xxxxxxxxxxxx
Objet : [Ethereal-users] Traffic not expected on a switch port
Hi, could somebody give me a hand?
My machine is on a switch (3COM 3300) port and when I run Ethereal (on
Windows 2000) I see traffic between 2 Oracle Servers (TNS packets) Those
TNS packets have destination and source well specified, it´s not a
broadcast.
I know I shouldn´t be able to see that traffic, I should only see
broadcast, multicast and traffic intended to my machine.
Thanks,
Gilberto.
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users