Hi all,
2 questions here really, first is a 'how can I save time'
type question, second is more a general call for ideas on
my strategy or problem, see below.
Having just spent at least an hour manually 'fixing' a trace
I thought I'd see if there was a better way next time.
Is there a easy way I can remove or 'unmark' duplicate IP
frames in a capture file?
I currently have a trace file with lots of packets that
are duplicated. I know they are duplicates because the
IP SRC, dest, length, id etc all match - the frames match
exactly all levels except for the timestamp which has a
delta of 0.000001 or lower.
Possibly something in mergecap where I can put a check:
if frame2 == frame1 (except timestamp) then discard frame2.
The background (aka why am I asking this anyway?):
I have an application where I am monitoring traffic on a
vlan that is carried over two cisco switches (6509s)
The switches are trunked together and I presently have a
port on each switch connecting to a solaris box with a
quad ethernet card (qfe2, qfe3)
I have the cisco span configured to mirror to the link
to the solaris box on each switch.
I then run two instances of tethereal on the solaris
box to capture to disk anything received on the interfaces.
On solaris I just 'ifconfig qfe2 plumb' the interfaces as
it is intended to be passive tap environment.
Later once I've performed the traffic tests etc and want
to analyse the trace, I take the two capture files and use
mergecap to combine them into a single file.
The idea behind this is to ensure I see all the traffic,
no matter which of the two switches forwards the traffic.
My problem is that occasionaly (and unfortunately not
consistently) I get the situation where my combined trace
file has a ton of duplicate packets.
Typically it's in one direction only, eg every packet from
a->b is duplicated in my trace for several minutes.
Then everything is normal for a few minutes until sometime
later I again get full duplicates.
My most recent example had ~2k duplicate packets in a trace
containing ~13k total frames.
Investigation shows whenever I have these duplicates I am
getting the packets showing up in both capture files.
This is strange as I am confident the applications are only
transmitting single packets.
As previously stated this is not consistent eg in the
current example the 'duplicates' stop after about 3 mins.
I think I can summarise the problem areas:
1. Problem with Cisco switches + SPAN function
2. Problem with quad ethernet adapter on Solaris box
3. Problem with pcap on Solaris box
4. Problem with tethereal on solaris box
5. Problem with writing to capture file on solaris
I might have to get a second box for test purposes.
Then I can hopefully narrow down whether the problem is
due to the switches or the server doing the monitoring.
Any other ideas from anyone?
Thanks,
Tony