Ask Your Question
0

Can Saving to a Network SAN drive cause a false positive of missing packets?

asked 2017-12-20 16:00:09 +0000

Will putting the save location of a Packet capture from wireshark to a Network SAN drive cause a false positive of missing packets as wireshark will not be able to write to the location fast enough because of network latency? (Not network itself dropping packets, but just a slow network)

I looked through documentation, but I did not see any recommendations to ensure that the save location for the packet capture is local to the server that is capturing the file.

History:

While recently working on an issue, I was attempting to troubleshoot an issue where my product's VOIP recorder was not recording any audio for certain calls.

I showed the customer how to set up a wireshark packet capture, and instructed them to run a packet capture periodically throughout the week to capture certain calls that they knew would not record.

However, when I looked at the packet capture, there was only 2 packets out of 80,000 RTP packets that we should have received, and we did not receive any SIP packets... even though our recorder said that we did. (logs showed that it received the SIP traffic)

We started to troubleshoot the wireshark itself to find out why it wasn't capturing the traffic as expected.

We found that the customer had been saving the file to a Network SAN drive that the customer had mapped to the server. Thinking that this might be the cause, we asked the customer to instead save the packet capture on a Local drive. (as in a HDD or SSD on the server itself)

After the customer ran a packet capture that was saved onto a local drive, we saw that the packet capture had received ALL of the packets without issue, and that we did in fact see the RTP and the SIP traffic.

It turns out it was an issue with the recorder itself, and not with their network...

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-20 16:41:40 +0000

Jaap gravatar image

Be aware that the network traffic caused by the Network SAN also goes through a network interface. If that interface happens to be the one you're capturing on then this will add to the data to the Network SAN, which..., ad infinitum.

So if you do this make sure to have the proper capture filters in place that you don't capture anything related to the Network SAN interaction.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-20 16:00:09 +0000

Seen: 219 times

Last updated: Dec 20 '17