Packet sniff analysis question....

Discussion in 'Cisco' started by Some Guy..., Jan 29, 2004.

  1. Some Guy...

    Some Guy... Guest

    Our 3550 switch (24 port plus 2 GBIC) is being bombarded by LLC
    packets (see below). The source MAC isnt registered in our workplace,
    but due to recent upgrades, thats not a issue. The destination MAC
    looks suspect, and in a 5 second time period, we accumulated about 600
    of just this one type of packet. Any ideas?

    (Update : I see that the packet is part of reserved Cisco Shared
    Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd), but
    why is the switch getting about 600 per every 5 seconds)?

    In the sniffer, the only difference I saw was in the section called
    "802.1q Virtual LAN" the ID number. It goes something like 191, 192,
    193, 194, 195, 152, 153, 154, 196, 197...and on and on and on.

    TIA.


    Frame 1 (68 bytes on wire, 68 bytes captured)
    Arrival Time: Jan 28, 2004 15:46:00.294160000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 68 bytes
    Capture Length: 68 bytes
    Ethernet II, Src: 00:0d:bc:97:2b:12, Dst: 01:00:0c:cc:cc:cd
    Destination: 01:00:0c:cc:cc:cd (01:00:0c:cc:cc:cd)
    Source: 00:0d:bc:97:2b:12 (Cisco_97:2b:12)
    Type: 802.1Q Virtual LAN (0x8100)
    802.1q Virtual LAN
    111. .... .... .... = Priority: 7
    ...0 .... .... .... = CFI: 0
    .... 0000 1100 0110 = ID: 198
    Length: 50
    Logical-Link Control
    DSAP: SNAP (0xaa)
    IG Bit: Individual
    SSAP: SNAP (0xaa)
    CR Bit: Command
    Control field: U, func = UI (0x03)
    000. 00.. = Unnumbered Information
    .... ..11 = Unnumbered frame
    Organization Code: Cisco (0x00000c)
    PID: PVSTP+ (0x010b)
    Data (42 bytes)

    0000 00 00 00 00 00 80 c6 00 0b 46 2a f9 40 00 00 00
    ..........F*.@...
    0010 00 80 c6 00 0b 46 2a f9 40 80 01 00 00 14 00 02
    ......F*.@.......
    0020 00 0f 00 00 00 00 00 02 00 c6 ..........
     
    Some Guy..., Jan 29, 2004
    #1
    1. Advertising

  2. Some Guy...

    Thomas Larus Guest

    From the part of the readout at the end that says, "PID: PVSTP+ (0x010b),"
    it looks like this traffic is Per-VLAN Spanning Tree Protocol + (PVST+)
    traffic. You should not be surprised to see a lot of STP traffic when you
    use a Sniffer to view the traffic on all or a big part of a switch. 600
    every 5 minutes equals 120 every minute. I think the "hello time" interval
    for sending out BPDUs for STP is usually something really short like 2
    seconds. So you could easily have 30 in a minute for just one VLAN. I am
    not clear on the mechanics, but if this is multiplied by even four VLANs you
    could get 120 BPDUs in a minute. Which would amount to 600 in five minutes.

    So what at first looks like a lot of traffic is really not so much for
    Spanning Tree Protocol.

    Best regards,

    Tom Larus, CCIE #10,014
    Author of CCIE Warm-Up: Advice and Learning Labs
    http://www.ipexpert.com/products_services/product.asp?sku=ip7777



    "Some Guy..." <> wrote in message
    news:...
    > Our 3550 switch (24 port plus 2 GBIC) is being bombarded by LLC
    > packets (see below). The source MAC isnt registered in our workplace,
    > but due to recent upgrades, thats not a issue. The destination MAC
    > looks suspect, and in a 5 second time period, we accumulated about 600
    > of just this one type of packet. Any ideas?
    >
    > (Update : I see that the packet is part of reserved Cisco Shared
    > Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd), but
    > why is the switch getting about 600 per every 5 seconds)?
    >
    > In the sniffer, the only difference I saw was in the section called
    > "802.1q Virtual LAN" the ID number. It goes something like 191, 192,
    > 193, 194, 195, 152, 153, 154, 196, 197...and on and on and on.
    >
    > TIA.
    >
    >
    > Frame 1 (68 bytes on wire, 68 bytes captured)
    > Arrival Time: Jan 28, 2004 15:46:00.294160000
    > Time delta from previous packet: 0.000000000 seconds
    > Time since reference or first frame: 0.000000000 seconds
    > Frame Number: 1
    > Packet Length: 68 bytes
    > Capture Length: 68 bytes
    > Ethernet II, Src: 00:0d:bc:97:2b:12, Dst: 01:00:0c:cc:cc:cd
    > Destination: 01:00:0c:cc:cc:cd (01:00:0c:cc:cc:cd)
    > Source: 00:0d:bc:97:2b:12 (Cisco_97:2b:12)
    > Type: 802.1Q Virtual LAN (0x8100)
    > 802.1q Virtual LAN
    > 111. .... .... .... = Priority: 7
    > ...0 .... .... .... = CFI: 0
    > .... 0000 1100 0110 = ID: 198
    > Length: 50
    > Logical-Link Control
    > DSAP: SNAP (0xaa)
    > IG Bit: Individual
    > SSAP: SNAP (0xaa)
    > CR Bit: Command
    > Control field: U, func = UI (0x03)
    > 000. 00.. = Unnumbered Information
    > .... ..11 = Unnumbered frame
    > Organization Code: Cisco (0x00000c)
    > PID: PVSTP+ (0x010b)
    > Data (42 bytes)
    >
    > 0000 00 00 00 00 00 80 c6 00 0b 46 2a f9 40 00 00 00
    > .........F*.@...
    > 0010 00 80 c6 00 0b 46 2a f9 40 80 01 00 00 14 00 02
    > .....F*.@.......
    > 0020 00 0f 00 00 00 00 00 02 00 c6 ..........
     
    Thomas Larus, Jan 29, 2004
    #2
    1. Advertising

  3. Some Guy...

    Some Guy... Guest

    Why would they all be generated from the same source MAC address?


    "Thomas Larus" <> wrote in message news:<hYZRb.2461$CJ1.745@lakeread01>...
    > From the part of the readout at the end that says, "PID: PVSTP+ (0x010b),"
    > it looks like this traffic is Per-VLAN Spanning Tree Protocol + (PVST+)
    > traffic. You should not be surprised to see a lot of STP traffic when you
    > use a Sniffer to view the traffic on all or a big part of a switch. 600
    > every 5 minutes equals 120 every minute. I think the "hello time" interval
    > for sending out BPDUs for STP is usually something really short like 2
    > seconds. So you could easily have 30 in a minute for just one VLAN. I am
    > not clear on the mechanics, but if this is multiplied by even four VLANs you
    > could get 120 BPDUs in a minute. Which would amount to 600 in five minutes.
    >
    > So what at first looks like a lot of traffic is really not so much for
    > Spanning Tree Protocol.
    >
    > Best regards,
    >
    > Tom Larus, CCIE #10,014
    > Author of CCIE Warm-Up: Advice and Learning Labs
    > http://www.ipexpert.com/products_services/product.asp?sku=ip7777
    >
    >
    >
    > "Some Guy..." <> wrote in message
    > news:...
    > > Our 3550 switch (24 port plus 2 GBIC) is being bombarded by LLC
    > > packets (see below). The source MAC isnt registered in our workplace,
    > > but due to recent upgrades, thats not a issue. The destination MAC
    > > looks suspect, and in a 5 second time period, we accumulated about 600
    > > of just this one type of packet. Any ideas?
    > >
    > > (Update : I see that the packet is part of reserved Cisco Shared
    > > Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd), but
    > > why is the switch getting about 600 per every 5 seconds)?
    > >
    > > In the sniffer, the only difference I saw was in the section called
    > > "802.1q Virtual LAN" the ID number. It goes something like 191, 192,
    > > 193, 194, 195, 152, 153, 154, 196, 197...and on and on and on.
    > >
    > > TIA.
    > >
    > >
    > > Frame 1 (68 bytes on wire, 68 bytes captured)
    > > Arrival Time: Jan 28, 2004 15:46:00.294160000
    > > Time delta from previous packet: 0.000000000 seconds
    > > Time since reference or first frame: 0.000000000 seconds
    > > Frame Number: 1
    > > Packet Length: 68 bytes
    > > Capture Length: 68 bytes
    > > Ethernet II, Src: 00:0d:bc:97:2b:12, Dst: 01:00:0c:cc:cc:cd
    > > Destination: 01:00:0c:cc:cc:cd (01:00:0c:cc:cc:cd)
    > > Source: 00:0d:bc:97:2b:12 (Cisco_97:2b:12)
    > > Type: 802.1Q Virtual LAN (0x8100)
    > > 802.1q Virtual LAN
    > > 111. .... .... .... = Priority: 7
    > > ...0 .... .... .... = CFI: 0
    > > .... 0000 1100 0110 = ID: 198
    > > Length: 50
    > > Logical-Link Control
    > > DSAP: SNAP (0xaa)
    > > IG Bit: Individual
    > > SSAP: SNAP (0xaa)
    > > CR Bit: Command
    > > Control field: U, func = UI (0x03)
    > > 000. 00.. = Unnumbered Information
    > > .... ..11 = Unnumbered frame
    > > Organization Code: Cisco (0x00000c)
    > > PID: PVSTP+ (0x010b)
    > > Data (42 bytes)
    > >
    > > 0000 00 00 00 00 00 80 c6 00 0b 46 2a f9 40 00 00 00
    > > .........F*.@...
    > > 0010 00 80 c6 00 0b 46 2a f9 40 80 01 00 00 14 00 02
    > > .....F*.@.......
    > > 0020 00 0f 00 00 00 00 00 02 00 c6 ..........
     
    Some Guy..., Jan 29, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marraboy

    Ethernet Frame Sniff-tastic!

    Marraboy, Aug 15, 2005, in forum: Cisco
    Replies:
    3
    Views:
    1,515
    dknetman
    Aug 15, 2005
  2. Slumpy

    <sniff> Bye Bye Barry

    Slumpy, Jul 4, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    686
    DaveG
    Jul 4, 2003
  3. Tarapia Tapioco

    Just had a sniff of my helmet

    Tarapia Tapioco, Aug 9, 2003, in forum: Computer Support
    Replies:
    12
    Views:
    662
    Phineas P. Hornswaggle
    Aug 10, 2003
  4. lfnetworking
    Replies:
    3
    Views:
    5,026
    lfnetworking
    Aug 27, 2006
  5. mediumkuriboh
    Replies:
    0
    Views:
    1,592
    mediumkuriboh
    Feb 9, 2009
Loading...

Share This Page