Hansang is correct. You should only be spanning the server port in order to get the data you wish to capture.
Wes
--- On Wed, 8/13/08, Hansang Bae <hbae@xxxxxxxxxx> wrote:
From: Hansang Bae <hbae@xxxxxxxxxx> Subject: Re: [Wireshark-users] Help with troubleshooting SQL and application server communication To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx> Date: Wednesday, August 13, 2008, 9:20 PM
Michael Montgomery wrote: > Hi Bill, > > Before I waste any of your time looking at my captures, I'm wondering If > I've set the capture up correctly. The two hosts, the DB and App > server, are on a Cisco Catalyst 6509. I've SPAN'd both
the DbServer and > AppServer ports to the port Wireshark is on. The statistics I gave you > before were from this setup. I also wanted to point out that sometimes > I configured the capture with inkpkts enabled and sometimes with inkpkts > disabled on the switch. Would this setup cause the excessive > out-of-order warnings? Either way, what would be the best way to > capture the traffic between the two hosts? > > Thank you
*One* 6500? Or separated by multiple 6500s?
If you span'ed both servers and they are residing on the same switch, you will have
1) duplicated every packet (out of DB server, into the App server) 2) Possibly overan the output buffer of the monitor port. Do a "sho mac x/y" where x/y is your monitor port to see if you are dropping packets to your sniffer. 3) Packets missing because they were dropped on the monitor port is easy
enough to spot if you have a lot of experience with protocol analysis, but why bother if you don't have to.
--
Thanks, Hansang _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx https://wireshark.org/mailman/listinfo/wireshark-users
|