1 Reply Latest reply on Jun 4, 2013 10:41 AM by gooru4speed

    Packet capture on NSM v7.1 seeing only one side of connection

    rchenowe

      Sensor ports are in SPAN/TAP mode.

       

      I think I have Packet Capture set up correctly, but when I download the PCAP file, I only see one side of the TCP connection - the one with 10.9.5.10 as the source IP.  I don't see the return traffic, or inbound traffic where 10.9.5.10 is the destination IP.

       

      So my (abbreviated) PCAP looks something like:

       

      1     10.9.5.10->4.2.2.2 [SYN]

      2     10.9.5.10->4.2.2.2 [ACK]

       

      I never see the 4.2.2.2's [SYN,ACK] or any return traffic.

       

      I this something to do with being in SPAN/TAP on the sensor and direction is indeterminate?   I really need to get both sides to do trouibleshooting.

       

      Thanks,

       

      -Roy-

       

       

      Here's an example of the defined rule.

       

       

      Capture Rules
      Monitoring PortTrafficProtocolIP VersionFragments Only?Source IPSource MaskSource PortDestination IPDestination MaskDestination PortVlan IDProtocol Number
      10.9.5.10
      10.9.5.10