Wireshark · Wireshark-users: Re: [Wireshark-users] Terminal Server traffic

[Jaap Keuter <jaap.keuter@xxxxxxxxx>]

Hi,

When I switch off the TCP dissector preference "analyze TCP sequence numbers", 
all that is left are duplicate packets for the vlan. Apply this filter to see:
ip.src == 10.10.10.0/24 && ip.dst == 10.10.10.0/24

Thanx,
Jaap

Albert Jurado wrote:
> I've attached a small capture file.  Maybe someone can take a look at it and make something of it.
>
> If you look for the following ip address (10.10.10.23) you'll should see the out of order packets.
>
> Albert Jurado
> Network Manager
> First Commercial Insurance Company 
> 2300 W 84 St.
> Hialeah, FL 33016
> Phone: (305) 820-4848 ex. 1206
> Mobile: (305) 873-4400
> Email:  ajurado@xxxxxxxxxxxxxxxx
>  
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Monday, March 10, 2008 7:38 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Terminal Server traffic
>
> Hi,
>
> Well a packet coming in has to come out somewhere. If the router passes them 
> both to the sniffer you'll see it twice (with a different MAC address, of 
> course, and maybe a different VLAN tag, and a TTL-1, but still.
>
> Thanx,
> Jaap
>
> Albert Jurado wrote:
> > Why would it see double?
> >
> > Albert Jurado
> > Network Manager
> > First Commercial Insurance Company 
> > 2300 W 84 St.
> > Hialeah, FL 33016
> > Phone: (305) 820-4848 ex. 1206
> > Mobile: (305) 873-4400
> > Email:  ajurado@xxxxxxxxxxxxxxxx
> >  
> > -----Original Message-----
> > From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> > Sent: Monday, March 10, 2008 1:31 PM
> > To: Community support list for Wireshark
> > Subject: Re: [Wireshark-users] Terminal Server traffic
> >
> > Hi,
> >
> > I may be dependant how you configured the monitoring port on the core router. 
> > If it captures both ingress and egress packets it start to see double. The 
> > details I leave to the network operator buffs ;) .
> >
> > Thanx,
> > Jaap
> >
> > Albert Jurado wrote:
> > > As of last week we started to monitor traffic from our internal Terminal 
> > > Server to our internal SQL server using wireshark.
> > >
> > > Our network is segmented in the following way:
> > >
> > > VLAN for servers
> > >
> > > Data VLAN for each floor in the building (six in total).
> > >
> > > We installed wireshark on a separate workstation plugged into our core 
> > > router with a monitoring port configured
> > >
> > > Our first capture revealed over 40% of the traffic as “out-of-order” 
> > > packets.  When we performed a capture from the terminal server there was 
> > > no such traffic. 
> > >
> > > I wondering if this type of behavior is normal for terminal server 
> > > communication.  I hope someone can shed some light on this matter for 
> > > me, it would greatly appreciated.
> > >
> > > Thanks!
> > >
> > > *Albert Jurado*