Hi all, this is the architecture : Switch A -> Interface Vlan X -> HSRP Version 1 -> PC A In the wireshark capture taken by PC A :
Switch A -> Interface Vlan Y -> HSRP Version 2 -> PC B In the wireshark capture taken by PC B :
Question : Why the capture of the PC B shows me this TTL info even if is correct and present in the pcap that the HSRP-TTL is 1 ? asked 25 Mar '15, 07:54 ValerioItaly |
2 Answers:
According to the Wireshark code and your capture file, the expert info is wrong for your case, because the expert module is just looking at the IP address (224.0.0.102) which is usually tied to Cisco GLBP, where the TTL is expected to be 255 (like VRRP). Your sample frame is actually HSRP, using the same IP address (224.0.0.102), however with a TTL of 1 (which is expected for HSRP). So, the Wireshark expert is triggering on the IP address (224.0.0.102) with a "wrong" TTL (expected:255, real:1). Either you reconfigure your HSRP routers to use a different IP address, or you simply ignore the Wireshark expert message. File: packet-ip.c
Regards answered 25 Mar ‘15, 17:10 Kurt Knochner ♦ |
Looking at the source code, there are a couple of multicast mac addresses in the Local Network Control Block (224.0.0.0/24) that do not have a TTL of 1. It looks like your trace of HSRP 2 traffic is matching one of the exceptions. Are you able to post a small capture file with the HSRP 2 packets (on Cloudshark for instance), it would be easier to determine if there is a bug in the wireshark code. answered 25 Mar '15, 12:29 SYN-bit ♦♦ Thanks a lot for your support. Here you can find an example of what I see : (25 Mar '15, 13:46) ValerioItaly |
Ok Kurt, your answer in very clear ! Thanks a lot to you and to SYN Bit for the support :)