Packet sniff analysis question....

Discussion in 'Cisco' started by Some Guy..., Jan 29, 2004.

  1. Some Guy...

    Some Guy... Guest

    Our 3550 switch (24 port plus 2 GBIC) is being bombarded by LLC
    packets (see below). The source MAC isnt registered in our workplace,
    but due to recent upgrades, thats not a issue. The destination MAC
    looks suspect, and in a 5 second time period, we accumulated about 600
    of just this one type of packet. Any ideas?

    (Update : I see that the packet is part of reserved Cisco Shared
    Spanning Tree (SSTP) multicast MAC address (01-00-0c-cc-cc-cd), but
    why is the switch getting about 600 per every 5 seconds)?

    In the sniffer, the only difference I saw was in the section called
    "802.1q Virtual LAN" the ID number. It goes something like 191, 192,
    193, 194, 195, 152, 153, 154, 196, 197...and on and on and on.

    TIA.


    Frame 1 (68 bytes on wire, 68 bytes captured)
    Arrival Time: Jan 28, 2004 15:46:00.294160000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 68 bytes
    Capture Length: 68 bytes
    Ethernet II, Src: 00:0d:bc:97:2b:12, Dst: 01:00:0c:cc:cc:cd
    Destination: 01:00:0c:cc:cc:cd (01:00:0c:cc:cc:cd)
    Source: 00:0d:bc:97:2b:12 (Cisco_97:2b:12)
    Type: 802.1Q Virtual LAN (0x8100)
    802.1q Virtual LAN
    111. .... .... .... = Priority: 7
    ...0 .... .... .... = CFI: 0
    .... 0000 1100 0110 = ID: 198
    Length: 50
    Logical-Link Control
    DSAP: SNAP (0xaa)
    IG Bit: Individual
    SSAP: SNAP (0xaa)
    CR Bit: Command
    Control field: U, func = UI (0x03)
    000. 00.. = Unnumbered Information
    .... ..11 = Unnumbered frame
    Organization Code: Cisco (0x00000c)
    PID: PVSTP+ (0x010b)
    Data (42 bytes)

    0000 00 00 00 00 00 80 c6 00 0b 46 2a f9 40 00 00 00
    ..........F*[email protected]
    0010 00 80 c6 00 0b 46 2a f9 40 80 01 00 00 14 00 02
    ......F*[email protected]
    0020 00 0f 00 00 00 00 00 02 00 c6 ..........
     
    Some Guy..., Jan 29, 2004
    #1
    1. Advertisements

  2. Some Guy...

    Thomas Larus Guest

    From the part of the readout at the end that says, "PID: PVSTP+ (0x010b),"
    it looks like this traffic is Per-VLAN Spanning Tree Protocol + (PVST+)
    traffic. You should not be surprised to see a lot of STP traffic when you
    use a Sniffer to view the traffic on all or a big part of a switch. 600
    every 5 minutes equals 120 every minute. I think the "hello time" interval
    for sending out BPDUs for STP is usually something really short like 2
    seconds. So you could easily have 30 in a minute for just one VLAN. I am
    not clear on the mechanics, but if this is multiplied by even four VLANs you
    could get 120 BPDUs in a minute. Which would amount to 600 in five minutes.

    So what at first looks like a lot of traffic is really not so much for
    Spanning Tree Protocol.

    Best regards,

    Tom Larus, CCIE #10,014
    Author of CCIE Warm-Up: Advice and Learning Labs
    http://www.ipexpert.com/products_services/product.asp?sku=ip7777
     
    Thomas Larus, Jan 29, 2004
    #2
    1. Advertisements

  3. Some Guy...

    Some Guy... Guest

    Why would they all be generated from the same source MAC address?
     
    Some Guy..., Jan 29, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.