Spanning tree packet in wireshark
Hi,
I'm trying to study the spaning tree protocol deeply, do i sniff the sapning with wireshark from my PC (I delete the portfast from the port to my PC in the switch, so i can get the bpdu tarfiic to my PC), and I sawthat source of the stp packet is the mac of the port in the switch that my PC is connected to. Why the mac source is not the root bridge's mac? (i see the mac of the root bridge in the stp layer of the packet, in the root bridge system ID).
I'm trying to study the spaning tree protocol deeply, do i sniff the sapning with wireshark from my PC (I delete the portfast from the port to my PC in the switch, so i can get the bpdu tarfiic to my PC), and I sawthat source of the stp packet is the mac of the port in the switch that my PC is connected to. Why the mac source is not the root bridge's mac? (i see the mac of the root bridge in the stp layer of the packet, in the root bridge system ID).
Comments
My guess is it that it's because it would screw up the mac address learning process to send all BPDUs with the root bridge MAC as source. Imagine two switches A and B, connected with two links between them. One of these links will be shut down, and one of the switches will have a blocking port. Which one is blocking of course depends on which switch is the root and port costs or the sender port id, etc. However, even blocked ports need to receive BPDUs so BPDUs will continue to be sent from both ports on the root switch down to the other switch.
When those BPDUs are received, the switch installs the source mac address in the mac address table. If the root bridge mac address was used as the source mac on the BPDUs sent out both ports, the receiving switch would continuously have to modify the mac address table since a mac address can only be associated with one port.
This could be wrong, just speculating.
Each switch sends its own BPDU then there is the discovery which causes each switch to realize the root and then the L2 network converges. You will want a multi phased approach.
Two switches will yield packets. Three switches will yield packets. You know the priority, mac address, and port numbers. So you should be able to calculate which switch will be root, which ports will be forwarding, and which ports will be blocked before you even connect them together. Once you can do it on paper which is easier than doing it with packet captures... you can then capture the packets and see the metrics contained in each packet to validate your understanding.
A HUB will show the packets. A switch with span sessions will show the packets. A hub will only be useful between two switches. A switch with span sessions will be useful between multiple switches as long as you have one session for each switch link.
The root is determined before any switch is connected with any port. The information from each switch determines the root and all information from that root determines the path to the root. There aren't any gotchas or magic bean situations here.
The only time you should see a gotcha is when you can fudge the numbers and cause switches to have identical mac addresses. Then you have a problem.