Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
local routing
- Thread starter ciscomeo
- Start date
There should be an (short) answer in your help of the expert. But;
If Sniffer sees two stations on the same physical segment talking to each other using a router, it gives the expert announcment Local ROuting.
Normally these stations should be able to reach each other directly WITHOUT the use of a router if they are on the same IP subnet.
But, if you have for example TWO STATIONS on ONE physical ethernet and the two stations are in a DIFFERENT IP SUBNET (let say sation A is 192.168.1.10/24 and station B is 192.168.2.10/24) the need a router to communicate.
At that point Sniffer will also generate the Local Routing wich is a false positive is you intended to have two subnets on the same physical ethernet.
Hope this clears it up a little. if not.....post a reply.
Regards,
Robert
If Sniffer sees two stations on the same physical segment talking to each other using a router, it gives the expert announcment Local ROuting.
Normally these stations should be able to reach each other directly WITHOUT the use of a router if they are on the same IP subnet.
But, if you have for example TWO STATIONS on ONE physical ethernet and the two stations are in a DIFFERENT IP SUBNET (let say sation A is 192.168.1.10/24 and station B is 192.168.2.10/24) the need a router to communicate.
At that point Sniffer will also generate the Local Routing wich is a false positive is you intended to have two subnets on the same physical ethernet.
Hope this clears it up a little. if not.....post a reply.
Regards,
Robert
Sniff4Food
Instructor
Adding on to Robert's explanation, bear in mind that the same physical segment could be two mirror ports on a switch. Let's say that you mirror the client's port and the server's port, and they are in two different vlans. Let's say you also use different IP subnets for your different vlans. Well, of course, it must go through a router (or a layer 3 switch which is still a router).
The Sniffer sees the frame leave the client with the MAC destination of the router, the Sniffer sees the same frame (from the IP layer up) then come from the router's MAC with the Server as the destination. Seeing the frame twice with different MAC destinations is what keys off the Expert diagnosis. If you had been mirroring only the client's port, you would not have seen the diagnosis. The process of sending it to the layer 3 switch and then sending it on to the Server would have still occured, but the Sniffer would not have seen it.
That is why I normally recommend to mirror only a single port at a time.
Betty
Life is different in BettyLand!
The Sniffer sees the frame leave the client with the MAC destination of the router, the Sniffer sees the same frame (from the IP layer up) then come from the router's MAC with the Server as the destination. Seeing the frame twice with different MAC destinations is what keys off the Expert diagnosis. If you had been mirroring only the client's port, you would not have seen the diagnosis. The process of sending it to the layer 3 switch and then sending it on to the Server would have still occured, but the Sniffer would not have seen it.
That is why I normally recommend to mirror only a single port at a time.
Betty
Life is different in BettyLand!
Hi,
I am currently sniffing AIX servers on a Cisco 4507 box. The servers are ether-channeled at the box and at the switch, so I am mirroring the port-channel. I am using EtherPeek and in the expert as well, I am seeing local routing as well. Is this a product of the mirror as well?
dj
I am currently sniffing AIX servers on a Cisco 4507 box. The servers are ether-channeled at the box and at the switch, so I am mirroring the port-channel. I am using EtherPeek and in the expert as well, I am seeing local routing as well. Is this a product of the mirror as well?
dj
- Status