Wireshark-users: Re: [Wireshark-users] Help with troubleshooting SQL and application server commu

From: Wes <wes_r@xxxxxxxxx>
Date: Wed, 13 Aug 2008 19:52:15 -0700 (PDT)
Hansang is correct. You should only be spanning the server port in order to get the data you wish to capture.

Wes

--- On Wed, 8/13/08, Hansang Bae <hbae@xxxxxxxxxx> wrote:
From: Hansang Bae <hbae@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Help with troubleshooting SQL and application server communication
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Wednesday, August 13, 2008, 9:20 PM

Michael Montgomery wrote:
> Hi Bill,
>
> Before I waste any of your time looking at my captures, I'm wondering
If
> I've set the capture up correctly. The two hosts, the DB and App
> server, are on a Cisco Catalyst 6509. I've SPAN'd both the
DbServer and
> AppServer ports to the port Wireshark is on. The statistics I gave you
> before were from this setup. I also wanted to point out that sometimes
> I configured the capture with inkpkts enabled and sometimes with inkpkts
> disabled on the switch. Would this setup cause the excessive
> out-of-order warnings? Either way, what would be the best way to
> capture the traffic between the two hosts?
>
> Thank you

*One* 6500? Or separated by multiple 6500s?

If you span'ed both servers and they are residing on the same switch,
you will have

1) duplicated every packet (out of DB server, into the App server)
2) Possibly overan the output buffer of the monitor port. Do a "sho
mac x/y" where x/y is your monitor port to see if you are dropping
packets to your sniffer.
3) Packets missing because they were dropped on the monitor port is
easy enough to spot if you have a lot of experience with protocol
analysis, but why bother if you don't have to.


--

Thanks,
Hansang
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users