Wireshark-users: Re: [Wireshark-users] SMB Broadcast Traffic
From: "Stephen Bader" <sbader@xxxxxxxxx>
Date: Fri, 21 Nov 2008 15:46:44 -0600
Marc,

Thank you for your input. I have found the cause of the problem, and you are correct that the switch I was on had not learned the MAC address of the target device.

Sometimes it is good to be able to bounce this stuff out there and get a fresh set of eyes to look at it and provide input.

Thank you again for your help!

-Steve

On Fri, Nov 21, 2008 at 12:17 PM, Marc Luethi <netztier@xxxxxxxxxx> wrote:
On Fri, 2008-11-21 at 10:11 -0600, Stephen Bader wrote:

> In looking at the output from Wireshark, I'm unable to determine why
> the laptop would have been sent a copy of this packet. Have any of you
> ever seen anything like this? Am I overlooking something in the packet
> that is causing it to be broadcast across the entire vlan?

Investigate the CAM tables of all switches involved and the spanning
tree situation of the VLAN your wireshark sniffer and the other client
are connected to,

Probably "your" switch has never (or long enough for the CAM table
timeout to occur) seen an ethernet frame from that client back to the
server (or to anyhwere else, for that matter), hence it does not know
beyond which one of it's ports that client's MAC address "lives".

But for some reason (maybe because of a stale CAM table entry in it's
upstream switch), frames with that client's destination MAC address are
forwarded to "your" switch, and since it does not know exactly where to
forward them to, it does what switches always do with frames containing
yet-unknown destination addresses: flood them out of all ports of that
VLAN, which is why you'll see them.

If you'll send a ping to that client from your wireshark laptop, it's
ARP and ICMP Echo replies will give the switch(es) a chance to relearn
that client's MAC-address, and the flooding of these frames should stop
instantly.

On a side note: This just goes to show that considering a switched
network "more secure" than a shared media type network (i.e. a Hub or
stretch of Coax cable with T connectors) is an illusion. Information
leaking can and will occur in a single broadcast domain network. VLANs
bring broadcast domain separation and can help here, but "switching"
alone won't.

regards

Marc






_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users