Ethereal-users: Re: [Ethereal-users] Newbie Question - Why can I see traffic between two hosts o
Ben Langridge a écrit :
Hi,
Running Ethereal on my switched (Cisco) network, I occasionally see TCP packets
that have a source and destination address neither of which are my own machine
or broadcast addresses. Surely without some ARP poisoning/flooding, I shouldn't
be able to see these on a switched network?
Hi,
I experience this sometimes too, on a small Ethernet 10/100 switched
network. What I imagine is that these packets are sent to you because
the switch did not know where to send them, and sent them everywhere
(like a broadcast). This is the case especially when sending a packet to
an unknown MAC address, or if the switch's forwarding database is full,
or maybe if the arp cache timed out when the packet arrived (?). I guess
the reason is somewhere in the ARP/Ethernet protocols and some of their
implementations (limited-size databases and buffers, etc).
I also remarked that the hosts involved were often the same, a network
printer and a linux host. I have no idea why these and not others.
I even get some HTTP passwords like this :)
Best regards,
--
Julien Leproust
Ercom S.A.