Wireshark will not normally see frames that don't meet normal physical or data-link layer checks. However as you rightly point out missing frames will trigger retransmission at the network layer or above (depending on the protocol).
Errors occuring on the optical link are going to be best detected on the devices that are at the end of the link. Most enterprise-class equipment will have SNMP-retrievable counters for the various interfaces you are using. Polling these frequently should allow you to correlate the error counts you see there with those observed (through non-forwarded data and the effect it creates) in Wireshark.
Regards, Martin
MartinVisser99@xxxxxxxxx
On Thu, May 21, 2009 at 6:42 AM,
<rkruz@xxxxxxx> wrote:
I am using wireshark as a way to evaluate the health of a network link (100 BaseT). The link is shown below:
Data in > router/switch > encryptor > optical-elec > elect-optical >encryptor > router/switch > data out > Wireshark Mirrored port.
I Wireshark capture data at the mirrored ports and using a TCP filter look for “missing” packets and “retransmissions”. Can this approach be used to detect a change in health of the link? For example when seeing a sudden increase in missing packets from previous days of capture?
How will errored packets that occur in the optical side of the link manifest themselves in the Wireshark capture at the very end of the link (after the router)?
Any suggestions on a better approach? My confusion is how the link layer will portray errors that occur a layer up in the network layer.
Any thoughts appreciated.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe