[c-nsp] ARP oddness

Keegan Holley keegan.holley at sungard.com
Fri Aug 19 21:02:58 EDT 2011


You didn't mention if the replies are destined for the server you're doing the capture on, IE the mac addressed learned on the port you're sniffing.  If not, it might be unknown unicast.  Switch flood frames destined for macs that haven't been learned yet.  What is the source and dest of the arp replies and where are the two boxes in relation to the server you're on?

Sent from my iPhone

On Aug 19, 2011, at 4:24 PM, Chuck Church <chuckchurch at gmail.com> wrote:

> Anyone,
> 
>       Researching some issues at a remote site, seeing something I don't
> think should happen.  A packet capture on this remote server using wireshark
> and focusing in on ARP is seeing all the requests (as I'd expect), but I'm
> also seeing unicast replies that I shouldn't.  The MAC address table on the
> switch I'm attached to shows only the MAC of this remote server on that
> port.  There are no SPAN sessions on the switch either.  The destination
> addresses aren't multicast, they're true unicast.  Yet I'm seeing all these
> unicasts that aren't my mac address.  Is there some function built into a
> Cisco switch that broadcasts these to make them act like gratuitous ARPs, or
> am I really seeing something that shouldn't happen?  It's on a Sup2+ 4500,
> running 12.2(25)EWA10 (I know it's ancient, vendor owns it...)
> 
> Thanks,
> 
> Chuck
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list