 | 1 | initial version |
Normally you would not be able to see packets on the Wireshark PC when they are sent between two other systems connected to the same switch (see: https://wiki.wireshark.org/CaptureSetup/Ethernet). The fact that you do see the syslog packets makes be believe the syslog-receiver does not generate (a lot of) packets, so the switch forgets on which port its mac-address is seen, this means syslog packets will be flooded to all ports until the syslog system needs to send a packet itself (either when it has something to share with the world, or when it needs to respond to ARP packets).
As the syslog packets to the SaaS service are sent over the default gateway, they are not seen on other ports as the gateway most likely continuously sents out packets, which means the switches know exactly which port to sent the traffic to and no flooding takes place.
The proper way to capture packets in a switched network would be to configure port mirroring to make sure the packets of interest are being sent to your Wireshark PC. See the mentioned link above.
