Hansang Bae
Wed, 26 Mar 2008 19:19:17 -0700
Alfonso Valdez wrote:
> TO: Japp
>
> Yes I am spanning the port on a cisco 6509. Here is the capture file f
> you give me your email I will forward t to you. All this is, is a basic
> nat. The application is AS2 EDI. See if you make any sense out of it.
> Note at the end the host inside my network the 172.16.11.9 does sets the
> RESET flag. The data never comes through.
>
>
> Host1---swtch-----firewall----router--------internet------vendor network
^ ^
1 2
>
>
Japp's point is that you are seeing the exact same packet twice. This
throws off the analysis because Wireshark thinks it is a retransmission
(maybe some logic should be built into prevent this?)
you can use "editcap -d" to remove duplicate packets. Give that a shot
first.
By the, in the above diagram, if you span the VLAN that has HOST1 and
FIREWALL in it, you will capture the same packet twice - as it comes out
of the FW and as it enters HOST1. You should just capture it once at
point 1 or point 2.
--
Thanks,
Hansang
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users