Wireshark-users: Re: [Wireshark-users] TCP / SMB Broadcast?

From: Chad Dailey <wireshark@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Jul 2009 09:42:08 -0500
Mario--

It is not uncommon for high speed switches to flood the first series of frames between two hosts to all ports on a VLAN.  This allows forwarding to occur without the delay penalty of waiting for session setup in the management plane of the switch.  Once the session setup is complete, you should no longer see the traffic.  Alternatively, is port mirroring set up properly?

Chad

On Tue, Jul 14, 2009 at 3:21 AM, <mv652@xxxxxxxxxxxx> wrote:

Hi,
I'd appreciate if someone could take a look at the attached capture of 11 packets and explain why I am able to see the TCP & SMB negotiation between these two hosts.
My capturing device has IP Address 10.0.4.26 connected on the same switch, same VLAN as the two systems in the capture (10.0.4.50 & 10.0.4.6).  The capturing system's nic is in promiscious mode.

Note - I understand why I see the ARP request as it's a broadcast to the network address, what I don't understand is why I see the rest of the communication between the two.  I even see an ICMP reply from one host to the other, but not the original request.

These systems are running on a managed switch, not a hub.

Thanks,
Mario

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe