On 2018-11-16 10:59, Joe Golden wrote:
Lurkers, Sniffers and Puzzlers,
I've got a cool set up with a Raspberry Pi (Debian Stretch) set up as
a sniffer in a client's office is southern VT. Office has 20ish
machines networked and the router is an Asus RTAC3200
(https://www.asus.com/us/Networking/RTAC3200/). I've modified the
iptables on the router to mirror all traffic to the pi.
One thing that gives me pause is this right here. In the "mirror all
traffic" thing that I usually see on switches, that switch port then
doesn't do "regular" traffic; it's specifically used for sniffing. But
unless you've got multiple NICs (or VLANs), you're sniffing traffic with
the same port you're communicating with. I wonder if maybe that could
be causing issues right there? If that switch has any decent smarts,
instead of having iptables mirror, I'd mirror a port, and sniff off that
using a secondary NIC. Failing that, I'd still use a secondary NIC as
my sniffing device, just so you don't wind up with a quantum-mechanic
sort of scenario, where the observer is affecting the stuff being
observed.
$.02,
-Ken
So I'm sniffing packets and then analyzing the packet capture with
wireshark. I see a lot of black and red and pink which are quite
discordant and non harmonious. I've been sshed into the pi to run the
packet dumps with tcpdump. These packets are showing
* TCP out-of-order
* TCP Retransmission
* TCP Dup ACK
* RST-ACK
* TCP ACKed Unseen Segment
These packets are icky and pink with black backgrounds. They appear
to be across many different IPs. I haven't determined if all IPs are
seeing these issues. I don't have a network topology map at present.
They appear to be 15 percent of the packets flowing through the
network. I know *some amount* of these are OK and networks are
resilient, but this seems a bit much.
Client reports that they are using a 12 year old "ProSafe 24 Port
Switch" for connecting most of their machines.
Since the packet problems are being observed across IPs, is it
reasonable to assume the switch is possibly causing problems? Is
there any way to test the switch? Any ideas for how to get more info
and try to determine the source of these problems?
Bonus clues: client reports some problems with a Drobo in the network,
which he thinks is due to bad hardware on the drobo. Otherwise the
network functions smoothlyish. Prior to setting up the router to
mirror traffic to the pi, I ran a sniff on the broadcast traffic
running through the network and saw no TCP issues with that traffic.
Thanx all. Hope you turkeys will be gathered with happy humans and
not staring at screens on Thanksgiving next week!
