syslog messages on switched network

We have a syslog server on our network that is used by a lot of clients (cisco, linux boxes) for remote logging.  I was looking at network traffic and noticed that the syslog traffic was showing up on my desktop interface.  This is one way udp traffic from the host to the server.  I am on a switched network, so I do not understand how I can see this traffic.  The switch should not let this through on all ports.  It is like the switch is acting like a hub.  Is there any explanation for this?  I do not see any other hosts to host traffic only syslog, brodcast and traffic destined for my pc.  Also, it seems that the traffic shows up in bursts.  It is not there all the time.

Tcpdump output looks like this:

16:05:52.846444 IP 198.XXX.XXX.1.syslog > 198.XXX.XXX.7.syslog: UDP, length 124

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sounds like you have a syslog client (most likely on one of the Linux boxes) that is configured to broadcast.  Here's an implementation for a Unix/Linux platform that allows broadcasts:

Is the traffic consistently originating from a certain IP(s)? If so, I'd check what OS & what syslog client implementation is running on the sending host.
credogAuthor Commented:
The traffic seems to be mostly coming from a pix firewall, however they packets do not appear to be broadcasts.  As you can see from the tcpdump sample is seems to be comming from a certain IP and going to a certain IP.  I will verify the source IP today.  Just don't understand why I am seeing that traffic.
Another possbility is that the switch is confused or overloaded and doesn't know where to send these packets. For example, this can happen if someone does an arp-cache poisoning attack with a tool like dsniff. But it can also happen if the switch doesn't have enough memory or backplane bandwidth for the amount of hosts/traffic.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Egads, yes I'm blind. <note to self, more caffeine next time>  You're absolutely right, not a broadcast!  

I agree w/ chris_calabrese... If the traffic is visible on your box only in bursts, then I'd check utilization on the switch (if it's a managed type), or possible arp problems as mentioned above.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.