Sorting out Captures from SPAN of entire VLAN


#1

I am troubleshooting a web-based application for a very large client. Unfortunately, I wasn’t able to do the captures myself, so when I asked the onsite IT for captures, they ran the captures from a SPAN port of an entire VLAN that contained a web-server cluster of two servers in fail over mode and a database cluster with four servers. So, the captures I got are completely skewed as far as delta time et al. Also, I’m not certain if the NIC on the capture device (a laptop w/wireshark) was matched to the switchport they used. So, for example, one of my captures shows over 250,000 retransmissions in 4 minutes, with delta times that indicate that they, of course, aren’t real retransmissions, but are a result of wireshark seeing all of the VLAN packets.

My question is this: Does anyone have any ideas of how to get any real information from this? In other words, is there a way to use wireshark to show me the data as it should be, instead of how it was distorted by the capture technique?

Of course, in hind-sight, I realize that I should have been much more specific in the where, when, and how I wanted the captures done. Especially considering that I’ve done the same thing when capturing in the past. Chalk it up to lesson learned!

Any help would be greatly appreciated. Thanks!