On Jul 14, 2009, at 1:21 AM, mv652@xxxxxxxxxxxx wrote:
I'd appreciate if someone could take a look at the attached capture
of 11 packets and explain why I am able to see the TCP & SMB
negotiation between these two hosts.
My capturing device has IP Address 10.0.4.26 connected on the same
switch, same VLAN as the two systems in the capture (10.0.4.50 &
10.0.4.6). The capturing system's nic is in promiscious mode.
Note - I understand why I see the ARP request as it's a broadcast to
the network address, what I don't understand is why I see the rest
of the communication between the two. I even see an ICMP reply from
one host to the other, but not the original request.
These systems are running on a managed switch, not a hub.
Perhaps the switch is, for some unknown reason, putting traffic sent
from 10.0.4.50, or traffic sent to 10.0.4.6, onto the switch port into
which the capturing machine is plugged, as well as the port into which
the machine with MAC address 00:17:3f:0a:c5:3a (i.e., 10.0.4.6) - but
not doing that with traffic going the other way.