I'm troubleshooting an issue between a few end users who are using accps to pull queries from an RHEL/Oracle server. The issue that they are having is application timeouts.

I've tried to use Wireshark to observe traffic between one of the end user's computer and the server and I can't do it, because the end user is on one VLAN and the server is on another VLAN.

I'm wondering if others could recommend what they have done to detect this traffic? Creating an interface under /etc/sysconfig/network-scripts and then a file with the following:


From here can I just set a filter to monitor the traffic between the end user and server or do I have to do any other configuration on Wireshark?

Where are you trying to capture? That plays a role on if you are going to see the traffic or not. Best place to capture would be at the server or at the clients end. Since it is a number of clients I would opt for the server and set it up to capture everything from all clients having issues.

Wireshark is not going to be able to see your sub interfaces so it will be seeing everything on eth0.

I'm trying to capture all sent/received traffic on that server that clients are having issues accessing with Wireshark.

The only issue is that the server is in one VLAN and the clients are in a separate VLAN. I'm not able to see any traffic when I setup Wireshark with the following filter:

However I can't see any traffic.

However my computer is in the same VLAN as the server and if I use the same filter as above and I send a PING to the that server from my Computer Desktop, I can observer the ICMP traffic.

I wasn't sure if Wireshark filters had to take into account the different VLANs.

Packetlife has a filter cheatsheet for Wireshark:

http://packetlife.net/media/library/...ay_Filters.pdf

And I see a VLAN filter, however I'm not sure how to apply it.

When I inspect the packets with Wireshark I don't see any VLAN tags.

thanks

The Source IP Addresses should not be changing and you should be able to see them in your capture no matter where they are coming from. The only thing that changes is the MAC Address. If you are not seeing them then you are either capturing on the wrong interface or on the wrong server.

Maybe you would be better off using tcpdump?

I use this to capture what I'm looking for on my F5 which is RHEL:

I like using host instead of src and dst as it will capture traffic in both directions. You just need to adapt the ip address and port to what you are looking for. The first IP is of the client and the second one is of the server. I then look at it with wiresharke to figure out what is happening.

Got this to work:

Fooled around with a few of the Filters and I got these to work, I don't know why they didn't work the first time. I don't use Wireshark everyday, only when I need to troubleshoot network issues.


I'm wondering though, when doing the packet analysis, looks like there isn't any info on VLAN tags on the packet, correct?

Not sure about the VLAN tags in wireshark as I haven't had to look at them.

I would make a suggestion that you not limit your capture to src and dst address. The reason I say this is you will only see one side of the conversation.

For example it the src is the client and dst is the server you will only ever see the client to server traffic and not the server to client which most likely will have the reason why something isn't working.

I'm trying to troubleshoot why an end user is having issues while a user sitting across the hallway isn't having issues.

Right now I'm just using the ip address of the users and server to look at the traffic, unless you can make another recommendation.

thanks