1. Home
  2. Ethernet LAN
  3. Strange results from a tcpdump, can anyone help?

Strange results from a tcpdump, can anyone help?

Hello there, I was refered here by a helpful soul who claims that members of this group may have a deeper understanding of network issues that could help me figure out this problem. I'm reposting the pertinent details below: ================================================

I'm a bit of a newb to the world of networking, so please bear with me.

I work in an environment with many separate vlans spanning several switches (say about a dozen). Today we had an incident where suddenly traffic was going ballistic on most ports in the network. Doing a tcpdump on a particular host on this network, you could actually see unicast traffic that was neither destined to or coming from the host. Or, to put it another way, it almost looked like the host was on a hub, where you could see packets travelling between other hosts on the network to other destinations.

We shut off some ports where some new windows servers were brought up today. As soon as those ports were taken offline, then tcpdumps on the other hosts went to normal (i.e. the only traffic you could see were broadcasts, or unicasts to and from that host).

Can anyone think of a likely explanation for this?

Please let me know if I'm not making sense!

Thanks in advance,

=====================================================

An additional wrinkle I've noticed while studying the tcpdump:

All the traffic I'm seeing that is not supposed to be there (i.e. http traffic from various other switches/hosts on the vlan) tends to be packets from the same vlan (vlan 82) destined to other hosts outside this vlan. In other words, the packets have src ips originating from within the vlan and dst ips are all external, and the src ips are from hosts that are not confined to a particular switch (at a brief glance, I'm seeing src packets coming from switch08, switch05, switch06, as well as other hosts on switch01 - where the tcpdump was taken).

If it was simply a bad switch with a bad port that had lost it's mac tables and was now broadcasting everywhere in the vlan, I would expect to see packets in the tcpdump with all the src ips from a single switch, and dst ips both internal and external to the vlan.

That doesn't seem to be the case here.

Reply to
maethlin
Loading thread data ...

Traffic from the VLAN destined for hosts outside the VLAN is traffic that has to go to a router. Can you see whether the MAC DA on these frames is the MAC address of the default router? If it is, then the question would be why traffic destined to a particular host, the router, is showing up at other ports. As if that router MAC address is not being learned, so all frames to the router are being flooded to all active ports in the catenet.

Is there anything odd about the network? Are these all one-way UDP datagrams, for example?

Bert

Reply to
Albert Manfredi

Will get you some answers to your questions Bert, thank you for the insight! I have additional info though, through some troubleshooting - we've narrowed it down to certain ports causing the problem when they are brought up with portfast turned off. As long as portfast is on, bringing the ports up causes no problem (as they don't participate in the STP).

Also sniffing traffic, you can see topology changes happening when those ports are brought up. Oddly though, the ports are just connected to plain old w2k3 servers.

Reply to
maethlin

So Bert, to answer your question, I'm looking at some of the packets (that were supposed to go outside the vlan) and the MAC DA on them seems to be the core switch interface (all the access switches I am discussing are plugged into a core switch). So yes, it would seem that traffic destined to the core is somehow showing up at other ports - in this case almost every port on that vlan.

Nothing odd about the network that I can tell. They are not one-way UDP datagrams - this is regular http and tcp traffic.

Reply to
maethlin

At the time when the problem happens, look at the switch's forwarding table and see if the MAC address of the router has been learned there.

Anoop

Reply to
anoop

Typical network flooding situation.

Note that all switches do what looks like unicast flooding, when they never recently saw traffic for the destination MAC of the packet. This can easily happen in a complex switch cloud, when broken L3 configuration results in nonsymmetric, triangular traffic.

Also note that all switches revert to unicast flooding behaviour when their MAC->Port tables become full.

Did any of those windows servers have more than one ethernet port connected? Probably not, or you would have mentioned it... If they did, maybe your switches thought they were switches, too.

You mentioned VLANs. How were the ports of those windows servers configured in this regard? Untagged, tagged, open for all VLANs?

How was IP configured on the windows server(s)? Any possibility that one of them took over one of the usual default gateways, e.g. by the typical error of switching local and default gateway IP under configuration? This could be the cause for triangular traffic, as mentioned above.

Not without more information. The symptoms are pretty clear, the reason for their development is not.

best regards Patrick

Reply to
Patrick Schaaf

The MAC DA for all frames addressed to hosts outside the source host's IP subnet should be the MAC address of the router, not the MAC address of any intervening switch. Unless perhaps this "core switch" you mention is also the default router.

Here is the direct quote from IEEE 802.1D-2004:

--------Quote-------

6.2 Preservation of the MAC Service

The MAC Service provided by a Bridged Local Area Network is similar to that provided by a single LAN (6.3). In consequence,

a) A Bridge is not directly addressed by communicating end stations, except as an end station for management purposes-frames transmitted between end stations carry the MAC Address of the peer-end station in their Destination Address field, not a MAC Address of the Bridge.

------------------------------

Anoop's suggestion is good, though. Whatever you find to be the router's MAC address should have been learned by any switch in the path between this host and the router, so it should be in the forwarding tables of all these switches.

Bert

Reply to
Albert Manfredi

Only one ethernet port connected on each server.

The ports for those servers were set to "Untagged" for the vlan they were supposed to participate in. They weren't set at all for all other vlans. (note, these are HP Procurve switches)

As far as I can tell, IP is configured normally - when I turn portfast on (and thus am able to bring up a server safely) I can connnect and see that IP is correct, and default gateway is correctly set to be the core switch (which also serves as the router/default gateway in this network).

Reply to
maethlin

Yes, the core switch is indeed the default router for all these servers.

I believe that is the case - the MAC address for the default router does show up in the tables of all the switches.

Reply to
maethlin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.