Michael Montgomery wrote:
Hi Bill,
Before I waste any of your time looking at my captures, I'm wondering If
I've set the capture up correctly. The two hosts, the DB and App
server, are on a Cisco Catalyst 6509. I've SPAN'd both the DbServer and
AppServer ports to the port Wireshark is on. The statistics I gave you
before were from this setup. I also wanted to point out that sometimes
I configured the capture with inkpkts enabled and sometimes with inkpkts
disabled on the switch. Would this setup cause the excessive
out-of-order warnings? Either way, what would be the best way to
capture the traffic between the two hosts?
Thank you
*One* 6500? Or separated by multiple 6500s?
If you span'ed both servers and they are residing on the same switch,
you will have
1) duplicated every packet (out of DB server, into the App server)
2) Possibly overan the output buffer of the monitor port. Do a "sho
mac x/y" where x/y is your monitor port to see if you are dropping
packets to your sniffer.
3) Packets missing because they were dropped on the monitor port is
easy enough to spot if you have a lot of experience with protocol
analysis, but why bother if you don't have to.
--
Thanks,
Hansang