Re: Strange results from a tcpdump, can anyone help?

Please see answers below:

Patrick Schaaf wrote:
"maethlin" <maethlin@xxxxxxxxx> writes:

I work in an environment with many separate vlans spanning several
switches (say about a dozen). Today we had an incident where suddenly
traffic was going ballistic on most ports in the network. Doing a
tcpdump on a particular host on this network, you could actually see
unicast traffic that was neither destined to or coming from the host.

Typical network flooding situation.

Note that all switches do what looks like unicast flooding, when they
never recently saw traffic for the destination MAC of the packet. This
can easily happen in a complex switch cloud, when broken L3 configuration
results in nonsymmetric, triangular traffic.

Also note that all switches revert to unicast flooding behaviour when their
MAC->Port tables become full.

We shut off some ports where some new windows servers were brought up
today. As soon as those ports were taken offline, then tcpdumps on the
other hosts went to normal (i.e. the only traffic you could see were
broadcasts, or unicasts to and from that host).

Did any of those windows servers have more than one ethernet port connected?
Probably not, or you would have mentioned it... If they did, maybe your
switches thought they were switches, too.

Only one ethernet port connected on each server.


You mentioned VLANs. How were the ports of those windows servers
configured in this regard? Untagged, tagged, open for all VLANs?

The ports for those servers were set to "Untagged" for the vlan they
were supposed to participate in. They weren't set at all for all other
vlans. (note, these are HP Procurve switches)

How was IP configured on the windows server(s)? Any possibility
that one of them took over one of the usual default gateways,
e.g. by the typical error of switching local and default gateway
IP under configuration? This could be the cause for triangular
traffic, as mentioned above.

As far as I can tell, IP is configured normally - when I turn portfast
on (and thus am able to bring up a server safely) I can connnect and
see that IP is correct, and default gateway is correctly set to be the
core switch (which also serves as the router/default gateway in this
network).

.

Relevant Pages

  • Re: about mirroring port
    ... number of them with the SPAN feature enabled and multiple spanned ports ... monitored by multiple instances of snort on a single Compaq box with very ... Subject: about mirroring port ... Higher end switches may work better. ...
    (Focus-IDS)
  • Re: Detecting multiple hosts behind a single managed switch port
    ... I'm looking for a tool that can query a list of managed switches (both ... would need to filter out ports that are connected to other managed ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence in Information Security. ...
    (Security-Basics)
  • Re: DHCP/Login Issue
    ... Make sure all of your ports are configured with "spanning-tree portfast" ... We are having an issue with DHCP and login to a Novell server whereby ... All of the access switches are connected to both core switches. ... on 10.x networks. ...
    (comp.dcom.sys.cisco)
  • Re: DHCP/Login Issue
    ... Make sure all of your ports are configured with "spanning-tree portfast" ... We are having an issue with DHCP and login to a Novell server whereby ... All of the access switches are connected to both core switches. ... on 10.x networks. ...
    (comp.dcom.sys.cisco)
  • Re: Slow NFS Writes, Network Errors
    ... As to the actual duplex problem, are your network switches running ... mess up timings with fast ethernet autonegotiation (though maybe someone ... and leave it off on ports connected to machines (though I ...
    (comp.unix.solaris)