Alfonso Valdez wrote:
TO: Japp
Yes I am spanning the port on a cisco 6509. Here is the capture file f
you give me your email I will forward t to you. All this is, is a basic
nat. The application is AS2 EDI. See if you make any sense out of it.
Note at the end the host inside my network the 172.16.11.9 does sets the
RESET flag. The data never comes through.
Host1---swtch-----firewall----router--------internet------vendor network
^ ^
1 2
Japp's point is that you are seeing the exact same packet twice. This
throws off the analysis because Wireshark thinks it is a retransmission
(maybe some logic should be built into prevent this?)
you can use "editcap -d" to remove duplicate packets. Give that a shot
first.
By the, in the above diagram, if you span the VLAN that has HOST1 and
FIREWALL in it, you will capture the same packet twice - as it comes out
of the FW and as it enters HOST1. You should just capture it once at
point 1 or point 2.
--
Thanks,
Hansang