ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: RE: [Ethereal-users] Seeing non broadcast / multicast packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Wed, 25 Jul 2001 16:34:20 -0500
True.  If a bridge (switch) doesn't have the destination MAC address in its
forwarding table, it will flood the frame to all ports.  Query the MIB
dot1dTpFdbEntry for the forwarding table.

Also, look at the first byte of the destination MAC address. If it is an ODD
number, that is a LAYER 2 multicast, but not necessarily an IP multicast.
Protocols like Spanning Tree, Cisco's Discovery Protocol, the Bay
Autotopology Protocol, and AppleTalk all use layer 2 multicasts but do NOT
use IP.  Therefore the frames will get flooded to all ports, but not
necessarily interpreted as "multicast".

--J

> -----Original Message-----
> From: Eichert, Diana [mailto:deicher@xxxxxxxxxx]
> Sent: Wednesday, July 25, 2001 3:44 PM
> To: 'Guy Harris'; Tom Greaser
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: RE: [Ethereal-users] Seeing non broadcast / multicast packets
> 
> 
> Last time I looked this usually happens when the MAC address 
> expires from
> the CAM table, that what it's called on Cisco's.
> 
> If the destination address is not in the bridge forwarding 
> table, in Cisco's
> case this is known as the CAM table. Since the switch does 
> not know which
> port the packet needs to be sent to, it sends them to all 
> ports.  Once a
> system responds to a packet an entry get's created in the CAM 
> table and you
> shouldn't see any more traffic.
> 
> diana
> 
> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxx]
> Sent: July 25, 2001 2:36 PM
> To: Tom Greaser
> Cc: ethereal-users@xxxxxxxxxxxx
> Subject: Re: [Ethereal-users] Seeing non broadcast / multicast packets
> 
> 
> > Im running a total switch network.  But sometimes i pickup some non
> > broadcast / mulicast packets up on my sniff with ethereal...????
> 
> What are the destination MAC addresses of the packets in question? 
> (Presumably they're not being sent to or from the machine running
> Ethereal.)
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube