I was using monitoring, but I got so much data I just had a look after that at the traffic between the laptop and other devices. Using RDP, I was impressed to see that Wireshark put in a filter for the RDP traffic automatically.
I think that the right point has been made in that Wireshark is perhaps a bit too detailed for what I'm trying to look at here. Basically we are encountering a lot of Citrix performance issues and some people are trying to heap it all on the network. It is "mean time to innocence". The DCs here are hosting roaming profiles and redirected files too, so a lot of traffic was anticipated to/from them - most of it is SMB stuff. I will give the suggestion of MRTG and PRTG a try to see if I don't have to dig through all these logs :-) However my impressions of the network performance is that it probably isn't to blame for their Citrix issues. Probably needs some decent application isolation, or something like that, but I have to address the theories being bandied around first :-( Thanks for the responses, -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: 11 March 2008 14:21 To: NT System Admin Issues Subject: Re: Wireshark query On Tue, Mar 11, 2008 at 7:41 AM, Rankin, James R <[EMAIL PROTECTED]> wrote: > Would a capture file of approx 150MB/min thru Wireshark indicate a saturated > network? I've connected a single laptop to the switch at a client site with > the NIC in promiscuous mode and it is spewing out data ... Not necessarily. 100 megabit/sec is equal to roughly 12 mebibytes/second. That's 720 MiB/min if Wireshark is capturing the complete contents of every frame. Twice that at full duplex -- 1440 MiB/min. All theoretical maximums, of course -- actual throughput should be a lot lower. But 150 MiB/min is within the realm of reasonable possibility, I think. Of course, I've never actually tried to find the maximum amount of data I can suck off a wire -- I'm usually optimizing in the other direction (with capture filters). :-) > Most of the traffic seems to be to or from a single domain controller. That might be reasonable, if the DC is doing other things. Is it a file server, or Internet gateway, or anything else other than DC? Is the DC downloading Windows Updates through the LAN? What you really need to do is analyze the traffic. Capture 30 seconds worth or so, and then look at what it is. Is it SMB? MS SQL? HTTP? BitTorrent? One thing to watch out for -- if you're connecting to the laptop running the sniffer using a remote access method (like RDP), make sure you exclude the remote access protocol with a capture filter. Otherwise, when the screen updates get sent over the network, Wireshark captures that, updates the screen, sending more net data, which gets captured... Also: You mention a switch. Are you using mirroring/monitoring to collect traffic from other ports on the switch, or is this just traffic between the laptop and the server you're seeing? -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
