At 08:43 AM 11/22/2005, Matt Pickering wrote:
>[SNIP]
>The method I used to capture packets is as follows - I have a Cisco 2970
>switch, and all but two ports are in Vlan1, and I have set up port 23 to
>be the span destination, and vlan1 to be the span source.
As a general rule, don't span the entire VLAN. It's a sure fire way to overrun your span port. In fact, if you want to be sure, separate the TX and RX to two span destinations. Your 2970 is capable of creating two simultaneous spans. The only headache is that unless you have a heavy duty PC that can service two NICs at once (capturing on both NICs on the same PC), you'll have to stitch the two traces together.
>The app nodes
>and the db node are all in vlan1. I then put my laptop with Ethereal
>into port 23, and started a packet capture. I suppose this could get
>packets twice, but I don't understand how there could be a time
>difference if it's the exact same packet.
It will get the packet twice since both servers are in VLAN1. You will capture it as the packet comes OUT of DB server and INTO the APP server. The time difference is due to the fact that your switch has to send you the packets (both identical) serially. It cannot send you both frames at the EXACT same time since you have two servers communicating to each other and you only have one span port.
>I will try to get a smaller packet capture when I get a chance, but I
>think maybe we're on to something. Any other suggestions are helpful
>and appreciated.
You don't have a retransmission problem. Like I said, apps will completely break if it has to retransmit every single packet.
