Wireshark-users: Re: [Wireshark-users] Packets Replicated

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sat, 7 Aug 2010 13:42:26 +1000
James,

I assume you are looking at this because there is a problem to solve - can you elaborate on this?
UDP is by nature a datagram only protocol. Depending on the application protocol that is using UDP, it might well be a normal error recovery mechanism to send duplicate packets. (This is up to the application, not the IP stack).

If the destination MAC address is unknown by this switch then it can get flooded (duplicated) out of all ports, but only out of ports other than the one original received. So unless you have a switch loop, the switch should send multiple coies of the one packet.

If you switch is also a router it could be that you might have received a ICMP redirect, which might direct the send to use the switch as a new destination rather than the previous MAC address. You would normally see those packets as well.

You probably want to send a more comprehensive capture for us to look at, we are just stabbing in the dark otherwise.

Regards, Martin

MartinVisser99@xxxxxxxxx


On Sat, Aug 7, 2010 at 5:19 AM, Fraasch, James M. <James.Fraasch@xxxxxxxxxxxxxx> wrote:

Hi, I have a packet capture and it appears that UDP packets are getting sent 8 times but I can confirm from the workstation that this is not the case. Perhaps the switch is reflecting the packets 8 times.

However, the more confusing question is that I can see the original source packet going to the correct destination but then after the first packet the source keeps the same IP address but the mac address changes to the mac of my switch. The source becomes Ethernet II, Src: Cisco_64:62:40

But of course, the IP address on the same packet is the IP of the original workstation that sent the packet.

Is it possible that there is no ARP going on from the workstation so the packet is just sent out all ports of the switch? If so, shouldn't the switch have the destination mac in its table and just switch the packet there?  I ask because I have exactly 8 ports mirrored.

James


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe