Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] TCP / SMB Broadcast?

Date: Wed, 15 Jul 2009 02:11:58 -0600
Thank you for all those responses. They've all be very helpful.

I'll be looking at this in more detail and will post some more info. In the meantime, the architecture is pretty simple: There are 2 CISCO 3750 switches and 1 CISCO 2950. Besides multi-homed PC's and servers, there is no direct connectivity between any of the switches. The 2950 is used only for internet access. The 3750's are used for business traffic. Each divided into 2 VLAN's - Each VLAN carrying different business data. "ip routing" is not strictly needed on the switches as inter-VLAN routing is not needed. "ip routing" is enabled only because the monitoring system originally had 3 nic's (one per switch) and a way was needed to monitor devices in the 'other' VLAN. Even then, routing was kept to a minimum with none of the PC's or servers having default routes, but rather static routes direct to the monitoring system via the VLAN IP Address. The monitoring system now has 5 nic's - each placed in a different VLAN. I have an overnight capture of 5 instances of wireshark running with all nic's in promiscous mode.

I'll check if this behaviour only occurs in a particular VLAN to drill down the source of the issue.


Point taken regarding the binary capture. I am just very wary of what data I may place on a public forum.

Thanks again for the responses.

Regards,
Mario

------------------------------------------------
Date: Tue, 14 Jul 2009 02:21:03 -0600
From: mv652@xxxxxxxxxxxx
Subject: [Wireshark-users] TCP / SMB Broadcast?
To: wireshark-users@xxxxxxxxxxxxx
Message-ID: <courier.4A5C3FFF.0000589C@xxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I'd appreciate if someone could take a look at the attached capture of 11
packets and explain why I am able to see the TCP & SMB negotiation between
these two hosts.
My capturing device has IP Address 10.0.4.26 connected on the same switch,
same VLAN as the two systems in the capture (10.0.4.50 & 10.0.4.6).  The
capturing system's nic is in promiscious mode.

Note - I understand why I see the ARP request as it's a broadcast to the
network address, what I don't understand is why I see the rest of the
communication between the two.  I even see an ICMP reply from one host to
the other, but not the original request.

These systems are running on a managed switch, not a hub.

Thanks,
Mario