Strange results from a tcpdump, can anyone help?

Hello there, I was refered here by a helpful soul who claims that
members of this group may have a deeper understanding of network issues
that could help me figure out this problem. I'm reposting the
pertinent details below:
================================================

I'm a bit of a newb to the world of networking, so please bear with me.

I work in an environment with many separate vlans spanning several
switches (say about a dozen). Today we had an incident where suddenly
traffic was going ballistic on most ports in the network. Doing a
tcpdump on a particular host on this network, you could actually see
unicast traffic that was neither destined to or coming from the host.
Or, to put it another way, it almost looked like the host was on a hub,
where you could see packets travelling between other hosts on the
network to other destinations.

We shut off some ports where some new windows servers were brought up
today. As soon as those ports were taken offline, then tcpdumps on the
other hosts went to normal (i.e. the only traffic you could see were
broadcasts, or unicasts to and from that host).

Can anyone think of a likely explanation for this?

Please let me know if I'm not making sense!

Thanks in advance,

=====================================================

An additional wrinkle I've noticed while studying the tcpdump:

All the traffic I'm seeing that is not supposed to be there (i.e. http
traffic from various other switches/hosts on the vlan) tends to be
packets from the same vlan (vlan 82) destined to other hosts outside
this vlan. In other words, the packets have src ips originating from
within the vlan and dst ips are all external, and the src ips are from
hosts that are not confined to a particular switch (at a brief glance,
I'm seeing src packets coming from switch08, switch05, switch06, as
well as other hosts on switch01 - where the tcpdump was taken).

If it was simply a bad switch with a bad port that had lost it's mac
tables and was now broadcasting everywhere in the vlan, I would expect
to see packets in the tcpdump with all the src ips from a single
switch, and dst ips both internal and external to the vlan.

That doesn't seem to be the case here.

.

Relevant Pages

  • Re: Need guidance on Cisco 6513 install
    ... having this switch set up on Tuesday by noon, ... The switch itself (and other future network hardware) will be on the ... but you can always choose another vlan number and same ... In a two core environment, ...
    (comp.dcom.sys.cisco)
  • Re: Strange results from a tcpdump, can anyone help?
    ... traffic was going ballistic on most ports in the network. ... other hosts went to normal (i.e. the only traffic you could see were ... packets from the same vlan destined to other hosts outside ... If it was simply a bad switch with a bad port that had lost it's mac ...
    (comp.dcom.lans.ethernet)
  • Re: Help with IGMP
    ... By default it should forward multicast traffic to all port. ... good, it clog the network. ... It switch is has no VLAN or single VLAN and all ... the layer 2 protocol to allow switch interfaces to join multcast streams. ...
    (comp.dcom.sys.cisco)
  • Re: Multihoming Windows 2000
    ... They are looking to connect all hosts to the core network via 1 NIC. ... will connect to another switch and this network is considered the ...
    (microsoft.public.win2000.networking)
  • Re: Locating switches in a multi-layer switching environment
    ... |switch| Main Computer Room ... MAC addresses are statically assigned to each port. ... but is only visible on the management VLAN. ... You could nmap the entire subnet and use trace route to find out the hope count and network path to the host you find in nmap.. ...
    (Pen-Test)