I have several pcaps I pulled from a Cisco Switch using the web interface, which is a really convenient way to grab a capture of a switch port, no acl, no span, easy peasy, it's the Embedded Packet Capture feature. I preface my question because initially I was going to post this about some Expert Warnings I'm seeing. I'm capturing from both ends of an IPSec tunnel that has no known issue, I wanted to see what I could see so when I do have an issue I had a benchmark to refer to.
But come to find out about 20% of my captured packets have expected sequence number errors, and there are many SN missing in each ESP packet.
However, if you sort the Expert Info dialog box by protocol and expand ESP, every single time I grab one of these captures, which I've done about a dozen times now, the expected SN warnings begin with packet number 502. These captures from the web UI cap out at 100Mb, so it's upwards of 70k packets each time. But, if i limit the capture to 500 packets instead, as expected no errors.
Version I'm using to view these on our datacenter mgmt servers is 4.2.6 and 4.2.9 so a little old, I haven't tried it on the latest 4.4.2 yet.
Clearly I'm reaching some sort of critical mass, has anyone ever heard of an issue like this on the Wireshark side?
About the only other thing that's different is pulling the cap from the interface directly, through the Cisco Web UI, but I'm having trouble working that out in my head that it's problematic to do so...