Wireshark-users: Re: [Wireshark-users] Terminal Server traffic

From: "Albert Jurado" <ajurado@xxxxxxxxxxxxxxxx>
Date: Tue, 11 Mar 2008 15:00:25 -0400
I've looked at the captures and there's no reason to believe that the packets are duplicates.  I've filtered the capture to show the communication between the terminal server and the SQL server.  When I apply this filter every other line in the wireshark display shows the "This frame is a (suspected) out-of-order segment".  This much fragmentation just doesn't seem normal. Can someone please shed some light on this...There's a part of me that thinks I'm chasing a ghost and that the problem is related to the way wireshark captures terminal server communication.

Thx.




Albert Jurado
Network Manager
First Commercial Insurance Company 
2300 W 84 St.
Hialeah, FL 33016
Phone: (305) 820-4848 ex. 1206
Mobile: (305) 873-4400
Email:  ajurado@xxxxxxxxxxxxxxxx
 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
Sent: Monday, March 10, 2008 7:38 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Terminal Server traffic

Hi,

Well a packet coming in has to come out somewhere. If the router passes them 
both to the sniffer you'll see it twice (with a different MAC address, of 
course, and maybe a different VLAN tag, and a TTL-1, but still.

Thanx,
Jaap

Albert Jurado wrote:
> Why would it see double?
> 
> Albert Jurado
> Network Manager
> First Commercial Insurance Company 
> 2300 W 84 St.
> Hialeah, FL 33016
> Phone: (305) 820-4848 ex. 1206
> Mobile: (305) 873-4400
> Email:  ajurado@xxxxxxxxxxxxxxxx
>  
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Monday, March 10, 2008 1:31 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Terminal Server traffic
> 
> Hi,
> 
> I may be dependant how you configured the monitoring port on the core router. 
> If it captures both ingress and egress packets it start to see double. The 
> details I leave to the network operator buffs ;) .
> 
> Thanx,
> Jaap
> 
> Albert Jurado wrote:
>> As of last week we started to monitor traffic from our internal Terminal 
>> Server to our internal SQL server using wireshark.
>>
>> Our network is segmented in the following way:
>>
>> VLAN for servers
>>
>> Data VLAN for each floor in the building (six in total).
>>
>> We installed wireshark on a separate workstation plugged into our core 
>> router with a monitoring port configured
>>
>> Our first capture revealed over 40% of the traffic as “out-of-order” 
>> packets.  When we performed a capture from the terminal server there was 
>> no such traffic. 
>>
>> I wondering if this type of behavior is normal for terminal server 
>> communication.  I hope someone can shed some light on this matter for 
>> me, it would greatly appreciated.
>>
>> Thanks!
>>
>> *Albert Jurado*
> 

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users