This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark placement

0

Hey guys,

I would appreciate some help on the following scenario.

We are running a backup of the Exchange Server to a NAS device.

The Exchange Server (backup agent installed) is connected via a HP Procurve 2500 Switch to the Backup software. The Backup Server is connected via another HP switch to a NAS device. The problem is that our daily backup fails with a communication error (almost always at same byte count).

My question is where would I have to place wireshark, also which capture filter should I use ( If I track everything I’m afraid our systems may suffer performance issues). So should I place Wireshark between the Exchange and Backup Server (or on both )? Or between the Backup Server and the NAS with a capture filter Backup Servers IP + NAS IP.

From a test capture it looks like it runs over SMB2.

Any suggestion much appreciated !

asked 20 Mar '15, 01:06

adasko's gravatar image

adasko
86343842
accept rate: 0%


One Answer:

1

If you can, capture between Exchange and Backup and between Backup and NAS simultaneously. The capture filter can be "host Exchange and host Backup". You can use the same host syntax for the other side "host Backup and host NAS". Replace the names in the capture filter with the relevant IPs. Afterwards you can upload the packet captures to Cloudshark if you need help analyzing them.

answered 20 Mar '15, 01:34

Roland's gravatar image

Roland
7642415
accept rate: 13%

thank you. and what about if the Full backup ALWAYS fails on 109 GB. could this be an indication that the Server is corrupted in some way ? i can see that the Exchange DB's System State are being backed up.

many thanks

(20 Mar '15, 03:28) adasko

I assume you have enough free space on the NAS :) It depends what you see in the packet capture. Do you see TCP Windows Full or TCP Zero Window for a long period of time?

(20 Mar '15, 04:17) Roland

yes place is enough. let me do the Wireshark capture and check. will post about the results. thank you !

(20 Mar '15, 04:23) adasko

if i have the trace file. should i filter only for SMB /SMB2 like with a filter "smb or smb2" because i cannot see much TCP packets

(20 Mar '15, 08:19) adasko
1

SMB runs on top of TCP. Filter for the relevant tcp stream, look at what happens in the packet capture when the backup fails.

(20 Mar '15, 08:25) Roland