Wireshark-users: Re: [Wireshark-users] Terminal Server traffic

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 11 Mar 2008 00:37:43 +0100
Hi,

Well a packet coming in has to come out somewhere. If the router passes them both to the sniffer you'll see it twice (with a different MAC address, of course, and maybe a different VLAN tag, and a TTL-1, but still.

Thanx,
Jaap

Albert Jurado wrote:
Why would it see double?

Albert Jurado
Network Manager
First Commercial Insurance Company 2300 W 84 St.
Hialeah, FL 33016
Phone: (305) 820-4848 ex. 1206
Mobile: (305) 873-4400
Email:  ajurado@xxxxxxxxxxxxxxxx
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Monday, March 10, 2008 1:31 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Terminal Server traffic

Hi,

I may be dependant how you configured the monitoring port on the core router. If it captures both ingress and egress packets it start to see double. The details I leave to the network operator buffs ;) .

Thanx,
Jaap

Albert Jurado wrote:
As of last week we started to monitor traffic from our internal Terminal Server to our internal SQL server using wireshark.

Our network is segmented in the following way:

VLAN for servers

Data VLAN for each floor in the building (six in total).

We installed wireshark on a separate workstation plugged into our core router with a monitoring port configured

Our first capture revealed over 40% of the traffic as “out-of-order” packets. When we performed a capture from the terminal server there was no such traffic. I wondering if this type of behavior is normal for terminal server communication. I hope someone can shed some light on this matter for me, it would greatly appreciated.

Thanks!

*Albert Jurado*