[c-nsp] finding unicast flooding in Wireshark sniff

[Rogelio]

I've got several L2TP tunnels hitting a Cisco 7201 and am trying to
use Wireshark to determine what inside my tunnel responsible  queue
drops on one of interface responsible for the L2TP termination. I
inserted a Wireshark laptop in a hub between  the LAC and the LNS, and
I got a good 24 hour sniff of L2TP traffic.

(A broadcast filter is on the router, so I strongly suspect unicast
garbage is flooding my L2TP tunnels. I am trying to make a case for a
good carrier grade switch that supports the UUFB feature)

I'm relatively new to Wireshark and could use some suggestions on how
to determine what is responsible for the traffic spikes in the IO
graph.  I sorted the traffic by protocol hierarchy and found 99% of it
inside the Ethernet / IP section is TCP, so I know that it's
application level traffic.  I'm hoping to narrow this down a bit more
and  find the smoking gun.

Any ideas where to start?  I feel like I'm poking around here and
could use any pointers or suggestions others might have.  Ideally, I
could make one "find unidentified unicast" filter and scan a big file
for that characteristic.

-- 
Also on LinkedIn?  Feel free to connect if you too are an open
networker: scubacuda at gmail.com