Hi, We have two production sites with 8 switches each. We have been experiencing some packet loss between servers and this can be quite time-consuming to troubleshoot. Currently, we have to go to site and mirror traffic from one switch at a time. I would like to setup a server in each site with 8 network interfaces conneted to all switches. The plan is to mirror traffic from all switches to the Wireshark server and compare the traces to find the problem. Can Wireshark correlate packet captures between multiple switches? How would I go about to set this up? asked 02 Jul '16, 04:32  tempus |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Sounds tricky. Can't RSPAN help here?
RSPAN could be used to reduce the number of physical ports required on the server. This would only means that Wireshark would see traffic from multiple switches aggregated on the same interface. Sometimes it's nice to use RSPAN, but when troubleshooting packet loss it's usually best not to tunnel your packet captures over multiple hops.
First there is capacity planning. Having all traffic coming back to a single point the capture engine (and packet filter for that matter) will have a lot of work to do.
Then there is fault finding, or non-duplicate packet finding in this case. While Wireshark and tools are equipped to remove duplications, you are looking for them and where they are missing, just the opposite. Maybe MATE can help you out, but I'm not sure.
Still, in matters of packet loss, wouldn't the interface performance counters tell you what you seek?
Thanks for your answer. I'll look into what I can do with MATE. Perhaps if I can find a way to do a 'diff' between the captures of multiple interfaces.
I think I can get around the capacity problem by not mirroring from all switches (maybe only 2 or 3) at the same time. I can use capture filters with IP to only get the relevant packets.
Checking interface counters is usually the first step in the troubleshooting process, but interface counters are not always reliable in my experience.
To match the packets you could use the Multi Segment Analysis feature of Riverbed Packet Analyzer (I think an eval version is available) or the Match feature of TribeLab Workbench Community Edition.