Ask Your Question

Revision history [back]

Can Saving to a Network SAN drive cause a false positive of missing packets?

Will putting the save location of a Packet capture from wireshark to a Network SAN drive cause a false positive of missing packets as wireshark will not be able to write to the location fast enough because of network latency? (Not network itself dropping packets, but just a slow network)

I looked through documentation, but I did not see any recommendations to ensure that the save location for the packet capture is local to the server that is capturing the file.

History:

While recently working on an issue, I was attempting to troubleshoot an issue where my product's VOIP recorder was not recording any audio for certain calls.

I showed the customer how to set up a wireshark packet capture, and instructed them to run a packet capture periodically throughout the week to capture certain calls that they knew would not record.

However, when I looked at the packet capture, there was only 2 packets out of 80,000 RTP packets that we should have received, and we did not receive any SIP packets... even though our recorder said that we did. (logs showed that it received the SIP traffic)

We started to troubleshoot the wireshark itself to find out why it wasn't capturing the traffic as expected.

We found that the customer had been saving the file to a Network SAN drive that the customer had mapped to the server. Thinking that this might be the cause, we asked the customer to instead save the packet capture on a Local drive. (as in a HDD or SSD on the server itself)

After the customer ran a packet capture that was saved onto a local drive, we saw that the packet capture had received ALL of the packets without issue, and that we did in fact see the RTP and the SIP traffic.

It turns out it was an issue with the recorder itself, and not with their network...