Wireshark-users: Re: [Wireshark-users] unicast traffic in promiscuous interface capture
From: Marc Luethi <netztier@xxxxxxxxxx>
Date: Thu, 31 Jan 2008 16:03:44 +0100
On Thu, 2008-01-31 at 14:16 +0200, Alex Nedelcu wrote:

> Could this be unknown unicast traffic flooded my port?

Very possibly.

This happens if split path "routing" occurs at layer two, when you have
multiple L2 paths between hosts A and host B, and spanning tree costs
and root for that (V)LAN are configured to prefer separate paths for
each direction.

Imagine this: Your switch has two uplinks to two different backbone
switches, one to the "left", one to the "right". The Backbone Switches
themselves are also interconnected via some path. Unluckily, the
backbone switch on the A prefers the path through your switch to get to
B, while the backbone switch on the B side preferes the other path back
to the A side.

Now your switch sees incoming traffic from the A side and has to flood
it if there is no matching entry for host B in the
MAC-address-to-port-table. Since the return traffic frames from Host B
to A do not flow across your switch, it will never learn B's source
address and will have to continue to flood all traffic coming from host
A.

This becomes especially bad if A is sending a 100MBytes/sec stream to B
through your switch, to which your system is connected at 100Mbit/s
only. Been there, done that, no t-shirt; but got the thing with the MAC
aging timers right afterwards...


regards

Marc