Ethereal: Re: [Ethereal-users] Newbie Question - Why can I see traffic between two hosts on a switched network

Ethereal-users: October 2005

Subject: Re: [Ethereal-users] Newbie Question - Why can I see traffic between two hosts on a switched network?
From: julien.leproust@xxxxxxxx
Date: Wed, 12 Oct 2005 15:43:10 +0200

Ben Langridge a écrit :

Hi,

Running Ethereal on my switched (Cisco) network, I occasionally see TCP packets
that have a source and destination address neither of which are my own machine
or broadcast addresses.  Surely without some ARP poisoning/flooding, I shouldn't
be able to see these on a switched network?

Hi,

I experience this sometimes too, on a small Ethernet 10/100 switched network. What I imagine is that these packets are sent to you because the switch did not know where to send them, and sent them everywhere (like a broadcast). This is the case especially when sending a packet to an unknown MAC address, or if the switch's forwarding database is full, or maybe if the arp cache timed out when the packet arrived (?). I guess the reason is somewhere in the ARP/Ethernet protocols and some of their implementations (limited-size databases and buffers, etc).

I also remarked that the hosts involved were often the same, a network printer and a linux host. I have no idea why these and not others.

I even get some HTTP passwords like this :)

Best regards,

--
Julien Leproust
Ercom S.A.

Prev by Date: [Ethereal-users] H.323 Audio Capability issue
Next by Date: RE: [Ethereal-users] Is ethereal the right software for me?
Previous by thread: [Ethereal-users] Newbie Question - Why can I see traffic between two hosts on a switched network?
Next by thread: [Ethereal-users] H.323 Audio Capability issue
Index(es):
- Date
- Thread