There are a couple of reasons a switch will "flood" TCP traffic out - generally they're not good...
1 - Someone is running dsniff - probably not likely since you’re not seeing all other traffic on the switch; you'd probably notice the slowdown in traffic as well. 2 - Unknown MAC address and thus the switch is "flooding" the traffic - also unlikely since there is an established TCP session, the steps required to establish the session generally get the MAC address placed into the switch's bridging table. I've seen UDP traffic exhibit this behavior - e.g. a SYSLOG server that is just receiving traffic all day but not sending anything back. 3 - Too many entries in the MAC table - again, like #1 but not because of malicious intent; I've seen "really old" switches have this problem on large, flat networks that have more devices than could be supported by the small MAC table. 4 - Bug in software/hardware on the switch - generally more difficult to track down and fix. ~~~~~~~~~~ R. Benjamin Kessler Network Engineer CCIE #8762, CISSP, CCSE Kessler Consulting Email: [EMAIL PROTECTED] http://www.kesslerconsulting.com Phone: 260-625-3273 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of BUYCK Jacky FTRD/DMI/CAE Sent: Monday, November 03, 2003 3:24 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Ethereal-users] Traffic not expected on a switch port Hi all. I've encounter the same kind of problem with Nortel Switch and we wasn't able to explain it for the moment. Nortel have admit a problem in old version of the software of the BPS 2000 but this is the only think we have. -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Envoyé : vendredi 31 octobre 2003 14:18 À : [EMAIL PROTECTED] Objet : [Ethereal-users] Traffic not expected on a switch port Hi, could somebody give me a hand? My machine is on a switch (3COM 3300) port and when I run Ethereal (on Windows 2000) I see traffic between 2 Oracle Servers (TNS packets) Those TNS packets have destination and source well specified, it´s not a broadcast. I know I shouldn´t be able to see that traffic, I should only see broadcast, multicast and traffic intended to my machine. Thanks, Gilberto. _______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users _______________________________________________ Ethereal-users mailing list [EMAIL PROTECTED] http://www.ethereal.com/mailman/listinfo/ethereal-users
