I am analyzing traffic on a server that has two ethernet adapters and each adapter is attached to a different network. When I analyze one adapter or the other I do not receive a lot of bad TCP packets. When I analyze both adapters at the same time, I receive many bad TCP packets. Is there a reason why that happens?
asked 12 Nov '14, 12:05
That's probably because you write packets for the same TCP sessions, captured on both adapters (maybe adapter teaming), into the same capture file. As the order of the frames will be different from what Wireshark believes to be a correct TCP stream (seeing SEQ numbers before others, etc.), it might flags those frames.
However that's just speculation. As you did not provide the capture I can only guess. So, please upload the capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here. Please also add some details why the server has two interfaces (adapter teaming yes/no), if both adapters have an IP address of the same subnet (a lot of windows admins are doing this for good or bad reasons), etc., etc.
answered 13 Nov '14, 13:03
Kurt Knochner ♦