Wireshark-users: Re: [Wireshark-users] SMB Broadcast Traffic
From: Marc Luethi <netztier@xxxxxxxxxx>
Date: Fri, 21 Nov 2008 19:17:34 +0100
On Fri, 2008-11-21 at 10:11 -0600, Stephen Bader wrote:

> In looking at the output from Wireshark, I'm unable to determine why
> the laptop would have been sent a copy of this packet. Have any of you
> ever seen anything like this? Am I overlooking something in the packet
> that is causing it to be broadcast across the entire vlan?

Investigate the CAM tables of all switches involved and the spanning
tree situation of the VLAN your wireshark sniffer and the other client
are connected to,

Probably "your" switch has never (or long enough for the CAM table
timeout to occur) seen an ethernet frame from that client back to the
server (or to anyhwere else, for that matter), hence it does not know
beyond which one of it's ports that client's MAC address "lives".

But for some reason (maybe because of a stale CAM table entry in it's
upstream switch), frames with that client's destination MAC address are
forwarded to "your" switch, and since it does not know exactly where to
forward them to, it does what switches always do with frames containing
yet-unknown destination addresses: flood them out of all ports of that
VLAN, which is why you'll see them. 

If you'll send a ping to that client from your wireshark laptop, it's
ARP and ICMP Echo replies will give the switch(es) a chance to relearn
that client's MAC-address, and the flooding of these frames should stop
instantly.

On a side note: This just goes to show that considering a switched
network "more secure" than a shared media type network (i.e. a Hub or
stretch of Coax cable with T connectors) is an illusion. Information
leaking can and will occur in a single broadcast domain network. VLANs
bring broadcast domain separation and can help here, but "switching"
alone won't.

regards

Marc