LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-28-2016, 02:06 PM   #1
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Question on using Wireshark to troubleshoot vlan traffic


I'm troubleshooting an issue between a few end users who are using accps to pull queries from an RHEL/Oracle server. The issue that they are having is application timeouts.

I've tried to use Wireshark to observe traffic between one of the end user's computer and the server and I can't do it, because the end user is on one VLAN and the server is on another VLAN.

I'm wondering if others could recommend what they have done to detect this traffic? Creating an interface under /etc/sysconfig/network-scripts and then a file with the following:

Code:
DEVICE=eth0.10
VLAN=yes
BOOTPROTO=dhcp
ONBOOT=yes

From here can I just set a filter to monitor the traffic between the end user and server or do I have to do any other configuration on Wireshark?
 
Old 09-29-2016, 08:06 AM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Where are you trying to capture? That plays a role on if you are going to see the traffic or not. Best place to capture would be at the server or at the clients end. Since it is a number of clients I would opt for the server and set it up to capture everything from all clients having issues.

Wireshark is not going to be able to see your sub interfaces so it will be seeing everything on eth0.

Last edited by lazydog; 09-29-2016 at 08:08 AM.
 
Old 09-29-2016, 08:37 AM   #3
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420

Original Poster
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
I'm trying to capture all sent/received traffic on that server that clients are having issues accessing with Wireshark.

The only issue is that the server is in one VLAN and the clients are in a separate VLAN. I'm not able to see any traffic when I setup Wireshark with the following filter:

Code:
ip.src==XX.XX.XX.XX && ip.dst==XX.XX.XX.XX
However I can't see any traffic.

However my computer is in the same VLAN as the server and if I use the same filter as above and I send a PING to the that server from my Computer Desktop, I can observer the ICMP traffic.

I wasn't sure if Wireshark filters had to take into account the different VLANs.

Packetlife has a filter cheatsheet for Wireshark:

http://packetlife.net/media/library/...ay_Filters.pdf

And I see a VLAN filter, however I'm not sure how to apply it.

When I inspect the packets with Wireshark I don't see any VLAN tags.

thanks
 
Old 09-29-2016, 10:32 AM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
The Source IP Addresses should not be changing and you should be able to see them in your capture no matter where they are coming from. The only thing that changes is the MAC Address. If you are not seeing them then you are either capturing on the wrong interface or on the wrong server.

Maybe you would be better off using tcpdump?

I use this to capture what I'm looking for on my F5 which is RHEL:

Code:
tcpdump -ni 0.0:nnnp -s0 -vw /var/tmp/reset-cause_$(date +%d_%m_%H:%M).pcap '(host 10.6.33.3 and 10.128.3.174) and (port 443)'
I like using host instead of src and dst as it will capture traffic in both directions. You just need to adapt the ip address and port to what you are looking for. The first IP is of the client and the second one is of the server. I then look at it with wiresharke to figure out what is happening.

Last edited by lazydog; 09-29-2016 at 10:34 AM.
 
Old 09-30-2016, 08:29 AM   #5
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420

Original Poster
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Got this to work:

Code:
/usr/sbin/tcpdump -n host XXX.XX.XXX.XX
Fooled around with a few of the Filters and I got these to work, I don't know why they didn't work the first time. I don't use Wireshark everyday, only when I need to troubleshoot network issues.

Code:
ip.addr==xxx.xxx.xxx.xx 

ip.src==xxx.xx.xx.xxx && ip.dst==xxx.xx.xxx.xx

I'm wondering though, when doing the packet analysis, looks like there isn't any info on VLAN tags on the packet, correct?
 
Old 09-30-2016, 10:46 AM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Not sure about the VLAN tags in wireshark as I haven't had to look at them.

I would make a suggestion that you not limit your capture to src and dst address. The reason I say this is you will only see one side of the conversation.

For example it the src is the client and dst is the server you will only ever see the client to server traffic and not the server to client which most likely will have the reason why something isn't working.
 
Old 09-30-2016, 12:40 PM   #7
JockVSJock
Senior Member
 
Registered: Jan 2004
Posts: 1,420

Original Poster
Blog Entries: 4

Rep: Reputation: 164Reputation: 164
Quote:
Originally Posted by lazydog View Post

I would make a suggestion that you not limit your capture to src and dst address. The reason I say this is you will only see one side of the conversation.

For example it the src is the client and dst is the server you will only ever see the client to server traffic and not the server to client which most likely will have the reason why something isn't working.
I'm trying to troubleshoot why an end user is having issues while a user sitting across the hallway isn't having issues.

Right now I'm just using the ip address of the users and server to look at the traffic, unless you can make another recommendation.

thanks
 
  


Reply

Tags
rhel, vlan tagging, vlans, wireshark


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Monitoring Android Traffic with Wireshark LXer Syndicated Linux News 0 08-15-2014 03:11 AM
Email traffic analysis wireshark amendoza Linux - Server 1 10-03-2012 12:41 PM
Wireshark is missing traffic? sree_ec Linux - Networking 2 09-27-2012 05:48 AM
wireshark traffic landorone1 Linux - Mobile 1 12-19-2011 01:36 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration