When opening a single capture packet in Transaction Analyzer, I see multiple pairs of IP addresses which are not a part of my network at any point.
These bogus pairs only show up when the pcap is opened as a Single Capture and not in Trace Explorer view.
Why do single packet captures in Transaction Analyzer show unknown IP address pairs ?
Categories:
Solution Number:
S34159
Last Modified:
2020-05-04
Issue
Solution
Opening packet captures as a Single Capture in Transaction Analyzer examines the entire payload of the packet, while Trace Explorer extracts only basic IP information.
This allows us to use Trace Explorer to verify if it can view the correct IP pairs in the packet.
However, the reason Transaction Analyzer adds the bogus pairs is due to the presence of Q-in-Q tagged packets in the capture file.
Transaction Analyzer does not support the analysis of 802.1ad frames and doing so results in bogus pairs being seen in the capture view.
The workaround is to select 802.1q tagged packets in your packet broker application instead of the 802.1ad and capture traffic once again.
This can be done from the Global Settings page of your packet broker application.
This allows us to use Trace Explorer to verify if it can view the correct IP pairs in the packet.
However, the reason Transaction Analyzer adds the bogus pairs is due to the presence of Q-in-Q tagged packets in the capture file.
Transaction Analyzer does not support the analysis of 802.1ad frames and doing so results in bogus pairs being seen in the capture view.
The workaround is to select 802.1q tagged packets in your packet broker application instead of the 802.1ad and capture traffic once again.
This can be done from the Global Settings page of your packet broker application.
Environment
SteelCentral Transaction Analyzer 17.x
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case