[Sorry for being late to the party, but came across this when looking for something else]
When you say "several foreign conversations appear", do you mean multiple packets in both directions, or just the occasional packet?
If it is full conversations, then you definitely have a problem with your switch.
If it is occasional packets, then I'd blame spanning tree changes. Recall that a switch remembers MAC addresses for 300 seconds by default. So if your switch had NOT seen a frame from a particular device for 300 seconds, and frames were sent to that MAC address, they would be forwarded to all other ports, including your WinXP/Wireshark monitor. This would continue until the owner of the MAC address sent a frame.
For devices running modern operating systems, the chances of a device NOT sending a frame for 300 seconds is pretty slim, although other more passive devices may be silent for that kind of time.
Back to spanning tree. If there is a spanning tree topology change (such as a device connecting/disconnecting to a switch port), a Topology Change Notification event is sent to the root bridge. The root bridge then sets the TCN bit on all BPDUs for the next FWD_DELAY period (15 seconds). When bridges see BPDUs with the TCN bit set, they reduce the ageing timers for the MAC address table to FWD_DELAY (15 seconds). [This is one reason why you should always enter the global configuration command spanning-tree portfast default - to stop the creation of TCNs whenever a switch port is activated/de activated]
So IF there are spanning tree changes, you are more likely to see occasional packets to MAC addresses other than your own.
You do not specifically say if any of the packets you see were from another subnet (= another VLAN if your design is correct). BUT if you ARE seeing packets from another subnet/VLAN, then I would suggest that you look very carefully at your inter-switch cabling, and check the native vlan configuration and Trunk port status of all these links. If there is any "subnet/VLAN" leakage, then it could create multiple topology changes which in turn could keep the ageing timer to 15 seconds leading to many more unexpected frames arriving on your Wireshark capture.
If you had several IP addresses assigned to the same NIC without using VLANs, you would most likely end up in the situation requiring what MS DHCP calls superscopes.
See here : https://technet.microsoft.com/fr-fr/library/dd183662(v=ws.10).aspx
This allows you to group several DHCP scopes into one super-scope, and the server will then check to see if there is a match within any of those scopes, and not just the one associated with whatever IP it thinks is the primary NIC IP.
So in your situation, assuming I understood it correctly, if you did not setup superscopes, you would not be getting an IP. Removing the second NIC IP then gets you out of that situation and back into traditional DHCP behaviour.
Best Answer
The client switchport or the server switchport can be monitored. A third switchport can be configured as a mirror port. This means that this mirror port will receive copies of all packets on the corresponding original port, while the original traffic won't be affected.
For example, on the Catalyst 3560:
Enter configuration mode:
Define the source and set the session number:
Here, the session number can be from 1 to 66, you could also specify a VLAN or an ethernet channel. Also, interface ranges such as
fa 0/25 - 26
are possible, and interface list, such asfa 0/24,fa 0/26
, if you would like to monitor several clients at the same time. Also by repeating the command you can add ports, or remove usingno
. Mixing ports and VLANs is not possible in the same session, another restriction is that you cannot use a destination port as a source port.Define the destination port:
You can use a normal port, but not a VLAN. Similarly to above, a destination port cannot be a source port: a port used here can either be a source or a destination port, and only of one session. Again, you can specify multiple ports like above.
You may want to
exit
configiration mode and save the config.You may have a look at your defined session - here multiple ports, tried like above:
You can see an encapsulation here - optionally you can set it to
replicate
for replicating the source interface encapsulation method, such as by addingencapsulation replicate
after the source interface. Furthermore, you can specify a direction (tx
,rx
,both
), filter VLANs and more. TheIngress: Disabled
line means that the switch will not accept any frames presented to it by your capture device on a destination port. For such finer details and for further restrictions and default settings have a look at the command reference of the IOS version of your switch.Once you configured source and destination port, you can capture the traffic using your laptop connected to the destination port, for example with Wireshark.
The number of source sessions can be limited, for example the 3560 supports a maximum of 2.
After the capturing, don't forget to remove this session configuration.