Hi,
An Ethernet switch tries to make an educated _guess_ where to send the
frames it receives. It wants to be smarter then a hub, which sends it out
of all its ports. How does a switch know where to send the frame then. It
does so based on the destination MAC address. (VLAN's are left beyond this
discussion). So it needs to know which port connects to which MAC address.
You said yourself the relevant host was offline, so the switch didn't know
(any more) where this MAC address was. In order to keep the network going
it sends it through all ports, in the hope it learns the port related to
the MAC address when the host resonds. Since it doesn't it won't learn,
so you keep seeing the frames on all ports.
Thanx,
Jaap
On Thu, 14 Dec 2006, Conrad Bialobzyski wrote:
>
> When running Wireshark, I see non-broadcast traffic that is not destined
> to, or originating from, the capturing workstation.
>
> I know the traffic is a workstation attempting to get an update from a
> McAfee EPO server was offline at the time. The packets are very small.
> There also are other similar sized conversations between workstations
> and printers.
>
> Frame 309 (62 bytes on wire, 62 bytes captured)
> Ethernet II, Src: Cisco_.... , Dst: HewlettP_....
> Internet Protocol, Src: xxxx Dst: xxxx
> Transmission Control Protocol, Src Port: 2408 (2408), Dst Port: 9112
> (9112), Seq: 0, Len: 0
>
> We are in a switched environment. I have been questioned why I can see
> non broadcast conversations that do not involve my workstation. My
> opinion is that these are runt packets that are irrelevant. Is it normal
> to see this traffic? Would this be a reasonable answer?
>
> Thanks in advance for your assistance.
>
>
>
> Conrad Bialobzyski
>
> Conrad.Bialobzyski@xxxxxxx
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
