Looking for No traffic on Ethernet Interface
More specific, I have a Linux system that would at times see no inbound traffic. Not even broadcast. Local Wireshark capture will show a time gap in the capture file.
Example, WS capture will show all the broadcast the Ethernet interface receives every second...
Suddenly, at (say) 3:45:00am all traffic stops....
The next record # in the WS capture will show 4:20:05am...
And all seems to be back to normal going forward....
During the "dead" period, outside source will not be able to get to this local Linux machine. That is, it will not answer any ARP request and so no router or switch will know where it is and where to go. However, if within the local Linux machine, I just ping out once and flood the ARP table of my network. All goes back to normal as all the switch and router know what MAC goes with what IP address. It is like I have some kind of sleep situation within my local box. Very odd and weird.
Since this box is custom hardware, unlike a normal server or PC, I cannot just change things out to try easily.
Any advice on how to find those gap within a WS capture file..? I do not want to have to brute force by man power to look for gap within this file... This is to aid me in finding issues as I start swapping hardware and firmware to try to confirm if I still have the issue or I have "nailed" and fixed the problem...
Thanks for any advice, in advance....
Look at the options your managed switch provides for performance data collection. This kind of behaviour I expect happens at the lowest level (L1) of the network stack, something it should have PM data on. If it collects in bins you should be able to pinpoint these events in the 15 minute bins. If your network switch is of the simple kind you won't get much help from it.