Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packets Replicated

From: Martin Visser <martinvisser99 () gmail com>
Date: Sat, 7 Aug 2010 13:42:26 +1000
James,

I assume you are looking at this because there is a problem to solve - can
you elaborate on this?
UDP is by nature a datagram only protocol. Depending on the application
protocol that is using UDP, it might well be a normal error recovery
mechanism to send duplicate packets. (This is up to the application, not the
IP stack).

If the destination MAC address is unknown by this switch then it can get
flooded (duplicated) out of all ports, but only out of ports other than the
one original received. So unless you have a switch loop, the switch should
send multiple coies of the one packet.

If you switch is also a router it could be that you might have received a
ICMP redirect, which might direct the send to use the switch as a new
destination rather than the previous MAC address. You would normally see
those packets as well.

You probably want to send a more comprehensive capture for us to look at, we
are just stabbing in the dark otherwise.

Regards, Martin

MartinVisser99 () gmail com


On Sat, Aug 7, 2010 at 5:19 AM, Fraasch, James M. <
James.Fraasch () ansaldo-sts us> wrote:


 Hi, I have a packet capture and it appears that UDP packets are getting
sent 8 times but I can confirm from the workstation that this is not the
case. Perhaps the switch is reflecting the packets 8 times.

However, the more confusing question is that I can see the original source
packet going to the correct destination but then after the first packet the
source keeps the same IP address but the mac address changes to the mac of
my switch. The source becomes Ethernet II, Src: Cisco_64:62:40

But of course, the IP address on the same packet is the IP of the original
workstation that sent the packet.

Is it possible that there is no ARP going on from the workstation so the
packet is just sent out all ports of the switch? If so, shouldn't the switch
have the destination mac in its table and just switch the packet there?  I
ask because I have exactly 8 ports mirrored.

James

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: