I've looked at the captures and there's no reason to believe that the packets are duplicates. I've filtered the capture to show the communication between the terminal server and the SQL server. When I apply this filter every other line in the wireshark display shows the "This frame is a (suspected) out-of-order segment". This much fragmentation just doesn't seem normal. Can someone please shed some light on this...There's a part of me that thinks I'm chasing a ghost and that the problem is related to the way wireshark captures terminal server communication.
Thx. Albert Jurado Network Manager First Commercial Insurance Company 2300 W 84 St. Hialeah, FL 33016 Phone: (305) 820-4848 ex. 1206 Mobile: (305) 873-4400 Email: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaap Keuter Sent: Monday, March 10, 2008 7:38 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Terminal Server traffic Hi, Well a packet coming in has to come out somewhere. If the router passes them both to the sniffer you'll see it twice (with a different MAC address, of course, and maybe a different VLAN tag, and a TTL-1, but still. Thanx, Jaap Albert Jurado wrote: > Why would it see double? > > Albert Jurado > Network Manager > First Commercial Insurance Company > 2300 W 84 St. > Hialeah, FL 33016 > Phone: (305) 820-4848 ex. 1206 > Mobile: (305) 873-4400 > Email: [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jaap Keuter > Sent: Monday, March 10, 2008 1:31 PM > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Terminal Server traffic > > Hi, > > I may be dependant how you configured the monitoring port on the core router. > If it captures both ingress and egress packets it start to see double. The > details I leave to the network operator buffs ;) . > > Thanx, > Jaap > > Albert Jurado wrote: >> As of last week we started to monitor traffic from our internal Terminal >> Server to our internal SQL server using wireshark. >> >> Our network is segmented in the following way: >> >> VLAN for servers >> >> Data VLAN for each floor in the building (six in total). >> >> We installed wireshark on a separate workstation plugged into our core >> router with a monitoring port configured >> >> Our first capture revealed over 40% of the traffic as “out-of-order” >> packets. When we performed a capture from the terminal server there was >> no such traffic. >> >> I wondering if this type of behavior is normal for terminal server >> communication. I hope someone can shed some light on this matter for >> me, it would greatly appreciated. >> >> Thanks! >> >> *Albert Jurado* > _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
