Seeing unexpected skinny heartbeats when sniffing IP phone's network traffic

Discussion in 'VOIP' started by SplkBarney, Aug 24, 2005.

  1. SplkBarney

    SplkBarney Guest

    I am doing research to see if an application on a computer that is
    connected to the network port of an IP phone (7940/60/70/etc) can "see"
    the attached phone. I am doing this by using a packet sniffer to look
    for skinny heartbeats between the phone and CallManagers in a cluster.
    I am seeing the skinny heartbeats for my attached phone, but I am also
    seeing heartbeats and acks between other phones and other CallManager
    clusters. These are TCP packets with IPs and MACs that do not match my
    phone or PC. I don't understand why I am even able to see these
    packets. My phone (and the others that I see heartbeats from) are all
    attached to a 3548 switch which is connected to a core Catalyst 6000
    switch.

    Does anyone know what could be causing my sniffing application
    (Ethereal) on my PC to be able to see TCP traffic that is not even
    directed to my phone or PC?
    (There are no SPAN sessions on the switch. There is no hub between my
    PC, the phone, and the switch. This is recreatable and persistent.) I
    can provide additional information if needed.

    Thanks in advance.
    SplkBarney, Aug 24, 2005
    #1
    1. Advertising

  2. SplkBarney wrote:
    > I am doing research to see if an application on a computer that is
    > connected to the network port of an IP phone (7940/60/70/etc) can "see"
    > the attached phone. I am doing this by using a packet sniffer to look
    > for skinny heartbeats between the phone and CallManagers in a cluster.
    > I am seeing the skinny heartbeats for my attached phone, but I am also
    > seeing heartbeats and acks between other phones and other CallManager
    > clusters. These are TCP packets with IPs and MACs that do not match my
    > phone or PC. I don't understand why I am even able to see these
    > packets. My phone (and the others that I see heartbeats from) are all
    > attached to a 3548 switch which is connected to a core Catalyst 6000
    > switch.
    >
    > Does anyone know what could be causing my sniffing application
    > (Ethereal) on my PC to be able to see TCP traffic that is not even
    > directed to my phone or PC?


    Probably the fact that Ethereal is sniffing with its interface put in
    "promiscuous mode", and your switches are (mis-?)configured to work as
    non-switching hubs...

    Enzo
    Enzo Michelangeli, Aug 25, 2005
    #2
    1. Advertising

  3. SplkBarney

    Miguel Cruz Guest

    SplkBarney <> wrote:
    > I am doing research to see if an application on a computer that is
    > connected to the network port of an IP phone (7940/60/70/etc) can "see"
    > the attached phone. I am doing this by using a packet sniffer to look
    > for skinny heartbeats between the phone and CallManagers in a cluster.
    > I am seeing the skinny heartbeats for my attached phone, but I am also
    > seeing heartbeats and acks between other phones and other CallManager
    > clusters. These are TCP packets with IPs and MACs that do not match my
    > phone or PC. I don't understand why I am even able to see these
    > packets.


    Are they directed to broadcast addresses?

    miguel
    --
    Hit The Road! Photos from 36 countries on 5 continents: http://travel.u.nu
    Latest photos: Queens Day in Amsterdam; the Grand Canyon; Amman, Jordan
    Miguel Cruz, Aug 25, 2005
    #3
  4. SplkBarney

    SplkBarney Guest

    In reply to Enzo's message:
    I am sniffing in promiscuous mode so I can see the traffic going to and
    coming from the attached IP phone. I do not believe the switches are
    misconfigured. They are not acting like hubs (except in the cases where
    I am seeing these misdirected packets).

    In reply to Miguel:
    The packets that I am seeing are not broadcast packets. They are
    directed to specific IP addresses and MACs that do not include the IP
    phone or the PC I am using for sniffing. I am seeing other broadcast
    traffic, but I am ignoring that.

    The latest theory on this is that it is Unicast Flooding. This is
    supposedly a normal occurance when the switches MAC table gets filled
    up. When the switch has a packet for a MAC, but can't find the MAC in
    its table, it sends it out all its ports; not as a broadcast packet,
    but essentially a broadcast because it is sent out every port. We have
    looked at the MAC table in both switches and they are far from being
    full, so I don't know about this being the cause. I am continuing to
    look at the switch settings and Unicast Flooding to see if I can find
    an answer.

    Thanks for your responses!
    SplkBarney, Sep 1, 2005
    #4
  5. SplkBarney

    Miguel Cruz Guest

    SplkBarney <> wrote:
    > The latest theory on this is that it is Unicast Flooding. This is
    > supposedly a normal occurance when the switches MAC table gets filled
    > up. When the switch has a packet for a MAC, but can't find the MAC in
    > its table, it sends it out all its ports; not as a broadcast packet,
    > but essentially a broadcast because it is sent out every port. We have
    > looked at the MAC table in both switches and they are far from being
    > full, so I don't know about this being the cause. I am continuing to
    > look at the switch settings and Unicast Flooding to see if I can find
    > an answer.


    If the MAC table is not full then this seems unlikely. Also, unless there is
    nothing else happening on your network, you would see other traffic also
    coming out all interfaces, not just the VoIP stuff.

    miguel
    --
    Hit The Road! Photos from 36 countries on 5 continents: http://travel.u.nu
    Latest photos: Queens Day in Amsterdam; the Grand Canyon; Amman, Jordan
    Miguel Cruz, Sep 1, 2005
    #5
  6. SplkBarney

    SplkBarney Guest

    We are seeing a smattering of other TCP packets that I shouldn't be
    able to see. I've been concentrating on the skinny heartbeats because
    that is what I was more interested in.
    SplkBarney, Sep 1, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    1
    Views:
    1,712
  2. Johnny Noitargim
    Replies:
    9
    Views:
    5,984
    nover
    Nov 15, 2010
  3. SplkBarney
    Replies:
    4
    Views:
    740
  4. ~~ Louis

    What's the skinny on FrontPage 2004?

    ~~ Louis, Mar 2, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    1,152
  5. David Spalding

    SKINNY

    David Spalding, Jan 24, 2004, in forum: VOIP
    Replies:
    8
    Views:
    869
    Steve Blair
    Feb 5, 2004
Loading...

Share This Page