Wireshark-users: [Wireshark-users] TCP / SMB Broadcast?
From: mv652@xxxxxxxxxxxx
Date: Wed, 15 Jul 2009 02:11:58 -0600
Thank you for all those responses. They've all be very helpful.
I'll be looking at this in more detail and will post some more info. In the meantime, the architecture is pretty simple: There are 2 CISCO 3750 switches and 1 CISCO 2950. Besides multi-homed PC's and servers, there is no direct connectivity between any of the switches. The 2950 is used only for internet access. The 3750's are used for business traffic. Each divided into 2 VLAN's - Each VLAN carrying different business data. "ip routing" is not strictly needed on the switches as inter-VLAN routing is not needed. "ip routing" is enabled only because the monitoring system originally had 3 nic's (one per switch) and a way was needed to monitor devices in the 'other' VLAN. Even then, routing was kept to a minimum with none of the PC's or servers having default routes, but rather static routes direct to the monitoring system via the VLAN IP Address. The monitoring system now has 5 nic's - each placed in a different VLAN. I have an overnight capture of 5 instances of wireshark running with all nic's in promiscous mode.
I'll check if this behaviour only occurs in a particular VLAN to drill down the source of the issue.
Point taken regarding the binary capture. I am just very wary of what data I may place on a public forum.
Thanks again for the responses.
Regards,Mario
------------------------------------------------ Date: Tue, 14 Jul 2009 02:21:03 -0600 From: mv652@xxxxxxxxxxxx Subject: [Wireshark-users] TCP / SMB Broadcast? To: wireshark-users@xxxxxxxxxxxxx Message-ID: <courier.4A5C3FFF.0000589C@xxxxxxxxxxxx>Content-Type: text/plain; charset="iso-8859-1"
Hi,
I'd appreciate if someone could take a look at the attached capture of 11 packets and explain why I am able to see the TCP & SMB negotiation betweenthese two hosts.
My capturing device has IP Address 10.0.4.26 connected on the same switch, same VLAN as the two systems in the capture (10.0.4.50 & 10.0.4.6). Thecapturing system's nic is in promiscious mode.
Note - I understand why I see the ARP request as it's a broadcast to the network address, what I don't understand is why I see the rest of the communication between the two. I even see an ICMP reply from one host tothe other, but not the original request.
These systems are running on a managed switch, not a hub.
Thanks, Mario
- Follow-Ups:
- Re: [Wireshark-users] TCP / SMB Broadcast?
- From: Guy Harris
- Re: [Wireshark-users] TCP / SMB Broadcast?
- Prev by Date: Re: [Wireshark-users] Network Analysis Training
- Next by Date: Re: [Wireshark-users] TCP / SMB Broadcast?
- Previous by thread: [Wireshark-users] Problem filter 802.11 channel
- Next by thread: Re: [Wireshark-users] TCP / SMB Broadcast?
- Index(es):
- Get Wireshark
- Download
- Code of Conduct