This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do i read my capture for looking for errors on a bad switch port

0

Hello,

After configuring Port mirroring on a HP Procurve switch I was able to have my Wireshark program installed on a Windows 7 box connected to the Procurve on port 10 setup to monitor a PC in port 11 which is getting thousands of Rx errors on the port 11 interface as I see on the HP Web GUI Port counters for the HP switch. I did capture for about 5 minutes and now I have not idea what I am looking for to find out why that port 11 is logging thousands of Rx errors. What do I need to look for to figure out why that port has so many errors. The PC connected to that port 11 is Windows 7 as well. Thanks,

Jimmy (first time Wireshark user)

asked 10 May '13, 21:08

forums712's gravatar image

forums712
1111
accept rate: 0%

2 Answers:

1

You can't capture damaged frames on a mirror port, as the switch will drop those frames. Even if you use a TAP in front of the switch, you probably won't see those frames as your network card (or the driver) will drop them.

For more information on that topic, I recommend an article of @Jasper in his blog: http://blog.packet-foo.com/2013/05/capturing-damaged-frames/

So, here are your options (in the order of appearance):

  • Enable debug logging on the switch. Maybe the log tells you why there are so many RX errors. If the switch does not provide a debug log, send a complaint to the CEO of the vendor or buy a different product next time ;-)
  • Change the switch port. Maybe that one port is broken
  • Replace the cable
  • Boot the PC with a Linux CDROM (Knoppix) and do some tests. Maybe it's just a Windows driver problem
  • Replace the NIC of your PC. Maybe that interface is broken

Regards
Kurt

answered 11 May '13, 03:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 11 May '13, 06:50

1

Hi Jimmy, most likely, the HP switch will not mirror any packets that have errors. So the port mirror configuration will not help you in finding the cause of the Rx Errors. Is there more information the Procurve can give you? Most managed switches have some more detailed counters for different kinds of Rx Errors.

There are a couple of things you might want to check:

  • Are the duplex settings on the PC and the switchport (11) the same? If they have a mismatch, you will see lots of errors
  • Are the errors still increasing on the port (11) when you connect another device?
  • Do you still see errors when moving the PC to another port?

As for things you can see with wireshark, when there are Rx errors, there is presumably packet loss. So when doing a large file transfer over TCP, you will see retransmissions. Based on what you see in wireshark, you can determine whether the missing packets are inbound or outbound and whether they are get lost on the leg between the PC and the switch or between the switch and the rest of the network.

If you really want to catch the bad packets, you will have to use a TAP between the PC and the switchport and then capture the traffic with a network card that is able to pass frames with a bad FCS to the OS (most normal NICs won't do that).

answered 11 May '13, 03:59

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

ok thanks SYN-Bit. So if i do a large file transfer and capture the packets with Wireshark, i still dont know what i am looking for. Sorry, but this is the first time i am using a tool like this. So, on other words what am i looking for as far as "Protocol, Length, and in the Info"? Thanks,

Jimmy K

(14 May '13, 08:55) forums712

So, on other words what am i looking for as far as "Protocol, Length, and in the Info"?

to detect what exactly?

(14 May '13, 09:44) Kurt Knochner ♦