Hi, I'm running Wireshark on server to see packets from / to this server, but something strange that i see conversations between other sources & destinations, this server is not part of these conversations i'm sure that there is no mirror port to this server so i'm wondering ?!! Any help ? asked 11 Aug '15, 23:26  Mahmoud Saad |
One Answer:
If you're seeing only single packets at a time that's normal - switches drop MAC addresses after a while and re-learn them. While the MAC is not in the MAC address table the packet is flooded to all ports. That means that Wireshark will also see it. After the flooding of the packet, the MAC is relearned and the flooding stops. answered 11 Aug '15, 23:33  Jasper ♦♦ |
Thanks Jasper but the extra captured traffic is not broadcast, i see tcp conversations.
yep, I was talking about unicasts. They get flooded by the switch if the MAC address is unknown. You should only see single packets, not full conversations though. If you see full conversations your switch may have fallen back into "flood all" mode, which usually only happens when it is really overloaded.
Thanks Jasper
@Mahmoud Saad,
If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.