How to see Spanning Tree traffic...Port #?

Posted on 2006-04-13
Last Modified: 2008-02-26
I have someone on my network that has hooked up a switch that is sending out VTP stuff that is messing with my cisco switch, and has apparently hooked up into another ISP service causing Spanning Tree to shut off the main Wan port on our Cisco switch periodically for about 1 minute at a time every 20 minutes or so. I'm trying to figure out who it is, so I set up a span port on my switch and am sniffing all the traffic but I'm not sure what I'm looking for exactly.

What port does spanning tree run on? UDP or TCP? Will I even be able to see it with a packet sniffer?

Question by:Matrix1000
    LVL 4

    Assisted Solution

    I would mirror all traffic on the Cisco's WAN port to another port on the switch, and plug my laptop w/ ethereal into that port.  This will help you to insure you get ALL of the traffic, and than through display filters you can drill down into what the offending machine may be.  On ethereal Spanning Tree Traffic shows up as having STP as the protocol, so that is pretty easy to differentiate.  If you are using DHCP, the switch may be getting an address from your network dynamically, so you could take a look in your DHCP Table and see if anything is suspect.  

    LVL 79

    Accepted Solution

    I'm not so sure that it's Spanning Tree that is shutting you down, it could be ARP poisoning if the other switch (I would presume it to be something like a SOHO Linksys switch/router) has proxy arp enabled.
    You should be able to see Spanning Tree packets. it does not use UDP or TCP. It is just STP

    Sample from Ethereal capture on my network:
    No.     Time        Source                Destination           Protocol Info
         11 6.000367    linksys               Spanning-tree-(for-bridges)_00 STP      Conf. Root = 32768/00:0c:41:d6:1e:5a  Cost = 0  Port = 0x8003

    Frame 11 (60 bytes on wire, 60 bytes captured)
    IEEE 802.3 Ethernet
    Logical-Link Control
    Spanning Tree Protocol

    LVL 79

    Expert Comment

    Note: where my post shows source = "linksys" it should be the IP address of the switch
    LVL 2

    Assisted Solution

    Spanning tree is a layer 2 protocol, UDP and TCP are layer 4 protocols.  There are no "IP ports" associated with this protocol.  You should see spanning tree as it's own protocol, as JK mentioned, but you should be able to see it with a sniffer.  Try mirroring just one port at a time till you find one with a lot of spanning tree protocol on it.  Then keep following port on all switches downstream till you get to the port where he has this switch plugged into it.
    LVL 1

    Assisted Solution

    I'm just guessing here, but it sounds like
         Typically you get joe user, at a conference table, wondering what to do with the cat 5 cable when they leave, so they unplug it from their computer and plug it into an open ethernet port, creating a switching loop.
         Killing performance on the switch network, and bringing down routers due to the excessive packet load. (Those packets are tiny, but there are millions of them.) Usually your switch can handle a full 100mb/sec load, but your firewall/gateway router is meant for a couple of megabit of medium size packets.

    What you are looking for are BPDUs. Bridge protocol data units.
    Ethereal natively filters bpdu, as do the pay for analysers. Sniffer will show you the top talkers.

         The problem could also be a jabbering NIC.

         You can look at your switch ports (show int) for packets inbound. The one that is incrementing VERY fast is the culprit.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now