Wireshark Question

I have been analysing a wireshark on a users PC and see that there are BPDU’s showing on the logs around the time an issue occurs which forces them to loose connectivity to a server. Does anyone know if its a normal thing to see switch BPDU on a host? I have not been able to find any material to suggest it is or isn’t. Also see DHCP informs hitting the machine, which appear to be from another machine broadcast, not sure what these are either. :confused:

Hi Nick,

Cisco switches send BPDUs on each and every interface, including interfaces that are in access mode and connected to hosts. From a security perspective, it’s best to filter these since you don’t want anyone running tools on their host to affect your spanning-tree topology.

These BPDUs don’t cause any issues for your host though.

If you want to filter them anyway, you can use BPDU filter on interfaces that connect to hosts so your switch doesn’t send them anymore:

And use BPDU guard to put the interface in err-disable mode when you receive a BPDU:

DHCPINFORM packets are used by hosts that are configured with a static IP address. They can use this to fetch other information from the DHCP server (like a DNS server or other options).

Does your host have any other connectivity issues or only with this server?


Thank Rene

Its only an issue with his server when the connection is through a load balancer. If it goes direct it’s fine. But the load balancer is set to persistent source IP, and there appears no issue with that… But what I saw on the users pc during a wireshark, was that the pc went through a DHCP process of asking where its default gateway was just before it disconnected. It appears they connect to a hsrp router and it didnt seem to know what to use as the gateway mac.
Since then I suggested a static IP to again rule out the load balancer and things have been fine… Which is ok for one user but there are several hundred users of the application… The load balancer can have a cookie session instead of source IP, but the customer would need to request it

Hi Nick,

If your load balancer uses persistent source IP and your client unexpectedly gets a new IP address, that might be an issue yes. Is there anything in between your HSRP devices and the client that could cause your host to lose the MAC address of your HSRP gateway?


Hi Rene

Unfortunately we just manage the load balancer, but I asked for wireshark to try find an underlying fault. The only thing I could think of that causes it to lose hsrp would be a mac flap?

Hi Nick,

There are a couple of things that could go wrong but it’s difficult to say without knowing the topology and configurations.