Crazy sniffing

The story is simple – you fire up your Wireshark and start sniffing (you may have your IP set or not – doesn’t matter). What happens? Usually you see a bunch of broadcast or mulitcast messages etc. You may see unicast packets as well. However in case of unicast, your IP must be the source or destination IP, right? Let’s assume you haven’t been a bad boy yet (no MitM tricks here).

Here comes the interesting part. In the past couple weeks, we had the same issue at two different places. We connected our laptops and started sniffing. We saw all the usual stuff, but we also captured unicast packets coming from and going to DIFFERENT hosts. I know what you’re thinking – we got a span port or we were connected to a hub – easy. Well, there are two problems with this theory:
1) It wasn’t the case – we checked it together with the network guys 😉
2) If that would have been the case, we could saw ALL traffic. But we saw only fragments.

Sometimes we got just FIN, RST or SYN packets. In other cases we could capture partial SMB file transfers from which we could (partially) recover the file. Also, we captured complete PCL streams – from a print server to a network printer.

It was 100% unpredictable.

We did some research together with the local network guys.

The good news is it’s a well known issue called “unicast flooding” – credit goes to Rolando 🙂
Under certain circumstances (e.g. asymmetric routing), such things may happen.

Here is a good illustrated write-up:

Of course, Cisco has its own note on the topic:

Happy Hacking!