Wireshark-users: Re: [Wireshark-users] Help with troubleshooting SQL and application server commu
From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Wed, 13 Aug 2008 21:20:33 -0400
Michael Montgomery wrote:
Hi Bill,
Before I waste any of your time looking at my captures, I'm wondering If I've set the capture up correctly. The two hosts, the DB and App server, are on a Cisco Catalyst 6509. I've SPAN'd both the DbServer and AppServer ports to the port Wireshark is on. The statistics I gave you before were from this setup. I also wanted to point out that sometimes I configured the capture with inkpkts enabled and sometimes with inkpkts disabled on the switch. Would this setup cause the excessive out-of-order warnings? Either way, what would be the best way to capture the traffic between the two hosts? Thank you

*One* 6500?  Or separated by multiple 6500s?

If you span'ed both servers and they are residing on the same switch, you will have

1)  duplicated every packet (out of DB server, into the App server)
2) Possibly overan the output buffer of the monitor port. Do a "sho mac x/y" where x/y is your monitor port to see if you are dropping packets to your sniffer. 3) Packets missing because they were dropped on the monitor port is easy enough to spot if you have a lot of experience with protocol analysis, but why bother if you don't have to.


--

Thanks,
Hansang