Spanning tree packet in wireshark

Hi,
I'm trying to study the spaning tree protocol deeply, do i sniff the sapning with wireshark from my PC (I delete the portfast from the port to my PC in the switch, so i can get the bpdu tarfiic to my PC), and I sawthat source of the stp packet is the mac of the port in the switch that my PC is connected to. Why the mac source is not the root bridge's mac? (i see the mac of the root bridge in the stp layer of the packet, in the root bridge system ID).

Find more posts tagged with

Comments

waxtrax

If you want to fully capture and understand Spanning-Tree BPDUs, you should capture packets directly on the switch if it supports it, or set up a SPAN session toward your packet capture PC. Remember, too, that STP is an inter-switch protocol, not a switch-to-host protocol. You should still see IEEE-formatted BPDUs on access ports, though, unless the switch is configured to filter them.

rob42

Just a thought, but can you not put a HUB in-line between the two Switches, then plug your PC into the HUB and capture the packets?

fredrikjj

shush wrote: »

I sawthat source of the stp packet is the mac of the port in the switch that my PC is connected to. Why the mac source is not the root bridge's mac? (i see the mac of the root bridge in the stp layer of the packet, in the root bridge system ID).

My guess is it that it's because it would screw up the mac address learning process to send all BPDUs with the root bridge MAC as source. Imagine two switches A and B, connected with two links between them. One of these links will be shut down, and one of the switches will have a blocking port. Which one is blocking of course depends on which switch is the root and port costs or the sender port id, etc. However, even blocked ports need to receive BPDUs so BPDUs will continue to be sent from both ports on the root switch down to the other switch.

When those BPDUs are received, the switch installs the source mac address in the mac address table. If the root bridge mac address was used as the source mac on the BPDUs sent out both ports, the receiving switch would continuously have to modify the mac address table since a mac address can only be associated with one port.

This could be wrong, just speculating.

tunerX

Which spanning tree packet do you want to see?

Each switch sends its own BPDU then there is the discovery which causes each switch to realize the root and then the L2 network converges. You will want a multi phased approach.

Two switches will yield packets. Three switches will yield packets. You know the priority, mac address, and port numbers. So you should be able to calculate which switch will be root, which ports will be forwarding, and which ports will be blocked before you even connect them together. Once you can do it on paper which is easier than doing it with packet captures... you can then capture the packets and see the metrics contained in each packet to validate your understanding.

A HUB will show the packets. A switch with span sessions will show the packets. A hub will only be useful between two switches. A switch with span sessions will be useful between multiple switches as long as you have one session for each switch link.

tunerX

Yes you are speculating. You don't need to do that.

The root is determined before any switch is connected with any port. The information from each switch determines the root and all information from that root determines the path to the root. There aren't any gotchas or magic bean situations here.

The only time you should see a gotcha is when you can fudge the numbers and cause switches to have identical mac addresses. Then you have a problem.