Showing results for 
Show  only  | Search instead for 
Did you mean: 

This product reached the end of support date on March 31, 2021.

Analyzing Captured Traffic


Viewing this page

one of the recommendations is to

Capturing packets on AMD

I found over 20% of the packets captured were one-sided conversations (only contained rx or tx). The devices were not using UDP; therefore, these should have been two-sided. Checking the monitor port configuration it was set to rx only. I am discussing with my WAN engineers to reconfigure to both.

What other signs/anomalies/patterns should I be looking for in the capture to determine if the SPANs are still improperly configured? What else would be causing the sequence gap and the duplicates seen?

Thanks and God bless,


DynaMight Leader
DynaMight Leader

Hello Genesius,

Below are some highlighted points which need to be consider to make a DCRUM work properly. Review the documentation link for more insight.

  • Your switch needs free resources (processor, memory) to process port mirroring.
  • Make sure you filter out the non-IP traffic on your SPAN.
  • Make sure you are getting unicast traffic for the services you're about to monitor. Just multicast traffic will not get you any good results.
  • You must have a way to deduplicate traffic before you analyze, otherwise, you are likely to draw bad conclusions.
  • You need to evaluate the risk of over-subscription of the destination port.
  • You should check that there is no checksum, CRC errors (in your switch management interface).
  • Response time measurement requires to see the requests… and the responses, and to measure the time intervals between them. If you see traffic only Client to Server or Server to Client, you will not get any meaningful data.