Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2022-12-09 12:51:14 +0000

SYN-bit gravatar image

One packet will not tell the truth, the whole truth and nothing but the truth... but, one can imagine this is a normal valid packet if:

  • There was a session from host computer1:55764 to 119.23.52.119:51413 before (or there is a port forwarder that forwards outside traffic on a certain port to computer1:55764)
  • and computer1 was active for a while, resulting in the router having an arp entry in its arp table that did not yet time out
  • and computer1 is now not connected anymore for a short while, resulting in the forwarding entry on the switch to have timed out

This would mean the router sends the incoming packet to the mac address of computer1, but since the (internal) switch does not know where the mac lives, it needs to flood the packet out of all ports.

One can think of other variants of this story to explain why there is a unicat packets seen on a host it was not meant to be. If there are a lot of packets that don't seem to follow normal switching rules, that is something to investigate. If there are a couple, still interesting to investigate, but you will probably find very logical causes :-)