Picking the best capture point
Determining the best location to perform a packet capture depends on several considerations:
The nature of the issue being investigated
The relative ability to perform a capture in a location that provides the highest degree of usefulness to the analysis
The amount of technical difficulty, risk, and time required to perform a capture at a given location
User location
If you're troubleshooting a user complaint, the first capture point should be at the user's workstation to gain a view from the user's perspective and verify/clarify the situation that the user is reporting. From this vantage point, you can:
Ensure that basic network services such as ARP and DNS are working correctly
Analyze the initial login process if the user authentication involves a different device than the target application server
Measure network round trip times from the user to the target host(s)
Determine whether the TCP session setup handshake is appropriate for the application being accessed...
