1 Reply Latest reply on Jun 4, 2013 10:41 AM by gooru4speed

    Packet capture on NSM v7.1 seeing only one side of connection


      Sensor ports are in SPAN/TAP mode.


      I think I have Packet Capture set up correctly, but when I download the PCAP file, I only see one side of the TCP connection - the one with as the source IP.  I don't see the return traffic, or inbound traffic where is the destination IP.


      So my (abbreviated) PCAP looks something like:


      1> [SYN]

      2> [ACK]


      I never see the's [SYN,ACK] or any return traffic.


      I this something to do with being in SPAN/TAP on the sensor and direction is indeterminate?   I really need to get both sides to do trouibleshooting.







      Here's an example of the defined rule.



      Capture Rules
      Monitoring PortTrafficProtocolIP VersionFragments Only?Source IPSource MaskSource PortDestination IPDestination MaskDestination PortVlan IDProtocol Number