mv652@xxxxxxxxxxxx wrote:
Hi,
I'd appreciate if someone could take a look at the attached capture of
11 packets and explain why I am able to see the TCP & SMB negotiation
between these two hosts.
My capturing device has IP Address 10.0.4.26 connected on the same
switch, same VLAN as the two systems in the capture (10.0.4.50 &
10.0.4.6). The capturing system's nic is in promiscious mode.
Note - I understand why I see the ARP request as it's a broadcast to the
network address, what I don't understand is why I see the rest of the
communication between the two. I even see an ICMP reply from one host
to the other, but not the original request.
These systems are running on a managed switch, not a hub.
As Sake pointed out, binary files are easier for folks to digest and
offer help. But there's only a small chance that your trace file will
show anything significant.
Besides what others wrote already, make sure you routers arp and
switches cam timers are set identically. Cisco's router default and
Cisco's tcam timers are different by default. And it can lead to
flooding of unicast packets.
Also, if you have the typical U design (two routers at top, connected to
two switches on the bottom, the two switches connected together to form
a U), the flow of packets can confuse the switch and cause unicast flooding.
You should a) post a binary trace of your problem and b) share your
topology with a a bit more detail if required.
--
Thanks,
Hansang
