This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

packet capture best practice

0

I'm attempting to capture a poor quality VoIP session for two users on the network. I have isolated the users to their own Cisco managed PoE switch which connects back into our main switch, also a Cisco. I haven't mirrored either of the user's port to the port where wireshark is running on a Windows 7 PC.

Was able to capture a fairly small amount of data during a time when one of the users was experiencing the clipping. Will this pcap contain the information I need to analyze or do I need to mirror one of the user ports to capture anything useful?

I have noticed that about 50% of the traffic is ARP. Is that "normal"?

Thanks

asked 10 Jul '17, 13:31

TonyB's gravatar image

TonyB
11113
accept rate: 0%


One Answer:

0

From a best-practice point of view, you really need a tap or span port off the switch. So likely without a mirror you do not have relevant data to diagnose your issue.

50% ARP, without context, does not really mean anything. If you have a LOT of traffic, and half is ARP, then you likely have a problem. If you have almost no traffic, then 50% ARP traffic probably does not mean much. What you describe is consistent: you are not on a mirror or span port, so you are only capturing broadcast traffic from the network (maybe some multicast too, depending on specific configurations). Some ARP traffic is classically broadcast, so that makes sense as long as there is not a lot of it in packets/sec.

answered 10 Jul '17, 15:19

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Thanks, Bob. I've mirrored the port and will review the data once the issue happens again. Appreciate the very clear response.

(11 Jul '17, 07:50) TonyB