[c-nsp] finding unicast flooding in Wireshark sniff

Irina Arsenieva ecralar at hotmail.com
Tue Jul 19 03:44:31 EDT 2011 

Hello there,
I believe Wireshark display filter should look something like this:
!(eth.ig == 1) and !(eth.dst == xx.yy.zz.tt.uu.vv),
where
!(eth.ig == 1)  - excludes broadcast and multicast
!(eth.dst == xx.yy.zz.tt.uu.vv) - excludes your router mac xx.yy.zz.tt.uu.vv
HTH
Rgds
Alex


--------------------------------------------------
From: "Rogelio" <scubacuda at gmail.com>
Sent: Monday, July 18, 2011 1:51 PM
To: <cisco-nsp at puck.nether.net>
Subject: [c-nsp] finding unicast flooding in Wireshark sniff

> I've got several L2TP tunnels hitting a Cisco 7201 and am trying to
> use Wireshark to determine what inside my tunnel responsible  queue
> drops on one of interface responsible for the L2TP termination. I
> inserted a Wireshark laptop in a hub between  the LAC and the LNS, and
> I got a good 24 hour sniff of L2TP traffic.
>
> (A broadcast filter is on the router, so I strongly suspect unicast
> garbage is flooding my L2TP tunnels. I am trying to make a case for a
> good carrier grade switch that supports the UUFB feature)
>
> I'm relatively new to Wireshark and could use some suggestions on how
> to determine what is responsible for the traffic spikes in the IO
> graph.  I sorted the traffic by protocol hierarchy and found 99% of it
> inside the Ethernet / IP section is TCP, so I know that it's
> application level traffic.  I'm hoping to narrow this down a bit more
> and  find the smoking gun.
>
> Any ideas where to start?  I feel like I'm poking around here and
> could use any pointers or suggestions others might have.  Ideally, I
> could make one "find unidentified unicast" filter and scan a big file
> for that characteristic.
>
> -- 
> Also on LinkedIn?  Feel free to connect if you too are an open
> networker: scubacuda at gmail.com
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list