This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet captures and Riverbed Appliances

0

Would it be beneficial to capture traffic before and after a Riverbed Steelhead appliance?

Is there any tips anyone can provide when reading packets from one of these appliances?

Thanks

asked 02 Mar '11, 09:39

scottmildy's gravatar image

scottmildy
1111
accept rate: 0%

scottmildy, are you trying to see how much RB will help or trying to figure out what the "secret sauce" is? Before I get into a long drawn out answer, I wanted to see what you were after.

(06 Mar '11, 09:06) hansangb

One Answer:

0

You might want to capture traffic before and after any appliance if you suspect that the device is responsible for problems in your network. I haven't encountered any Riverbed appliances so far, but I had my share of captures at other traffic management appliances that messed up some network packets really good. One example was a traffic shaper adjusting the TCP window size to ridiculous values that led to total communication breakdown between client and server.

So if you suspect any appliance to mess up packets you can capture on both sides of the appliance (if it's not a one armed device, otherwise you can only do one capture) and compare traces to see what happens. Comparing traces is a time consuming process, but if you know of a specific communication between two stations that has trouble and you know IP addresses and TCP ports you can find the TCP flows quite easily by looking for those, maybe including the initial TCP sequence number.

answered 03 Mar '11, 02:31

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%