0

I´d like to ask for help in understanding this tcpdump capture. Tcpdump is running on server 10.13.255.27 and received the packet:

root@server27 ~]# tcpdump -i eth0 dst host 10.13.255.26 and not src net 10.13.255.0/24  -nn -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

13:55:48.604841 IP (tos 0x0, ttl 58, id 52803, offset 0, flags [DF], proto TCP (6), length 1420)
    10.19.13.152.48002 > 10.13.255.26.40650: Flags [.], cksum 0x13eb (correct), seq 4107760935:4107762315, ack 911518208,  win 998, length 1380

10.19.13.152 is a server that reaches the net 10.13.255.0/24 through a vpn.

The question is why this packet was sent to 10.13.255.27? Both 26 and 27 are connected to a Summit200 switch at the same vlan and none of them are virtual.

Thanks in advance

krisFR
  • 13,280
  • 4
  • 36
  • 42
Brn
  • 3
  • 2

1 Answers1

0

You are running tcpdump in promiscuous mode. This means that tcpdump will configure the network interface to receive all packets on the link regardless of destination MAC address.

By default a network interface drops all packets not intended for this host. Any packet not intended for this host is silently dropped by the network interface without notifying the kernel.

You can use the -p flag to tcpdump to not have it change the setting of the network interface. However keep in mind that the interface may have been put in promiscuous mode for other reasons.

From your output we cannot see if the destination MAC address of the packet matches the network interface it was received on. Where to look for more information depends on which of the two is the case.

If the destination MAC matches the network interface it was received on then you need to look in the routing table on the previous hop the packet was routed through in order to see why it got routed to your MAC.

If the destination MAC does not match the network interface it was received on then the MAC address must be absent from the CAM on the switch. This can either indicate you have more MACs on the LAN than the CAM on the switch can hold, or that the target MAC address of the packet simply hasn't sent any packets recently.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • Hi Kasperd, You are right. I tried the –p option for tcpdump and the packets stopped being received. Additionally, I’ve noticed that this packets were arriving each 5 minutes. So I checked the switch configuration and found that the FDB entries are set to be refreshed at this rate. I was able to reproduce the situation clearing the MAC entry. The Extreme Summit manual says “Frames destined for devices that are not in the FDB are flooded to all members of the VLAN.” Thank you for your help – Brn Apr 12 '15 at 23:14