Capturing FOG traffic with sniffer

  • Hello guys,

    I am currently running some tests to see how the production network infrastructure at work would cope with mass imaging. So far I’ve only used fog in an isolated environment only on blind switches (no vlans, no management whatsoever). So I’ve set up a small test environment consisting of:

    • 2 x Cisco Catalyst 2960G switches
    • My fog server connected on int Gi 0/1 one SW1
    • A test machine connected on int Gi 0/2 on SW2
    • I’ve linked the 2 switches through a PortChannel interface with 2Gbps bandwitdh.

    I can deploy an image with no issues, however I am interested on capturing and analyzing the traffic generated by the server. So I configured a SPAN port that mirrors the interface of the server forwarding all the traffic to a machine where I have Wireshark installed. All the used ports are configured in access mode on the same VLAN: 666 🙂

    The issue is that I am sure that the port mirroring works, as I can see ARP and ICMP traffic, however no other packages coming from the FOG server, basicaly the I cannot see the image getting deployed. On the network card belonging to the machine with the sniffer installed I can see a lot of packets received however in the Wireshark interface they don’t show. I might add that I have no filters set on the capture, and I also set it to promiscuous capture. I’ve tried using other packet sniffers and the outcome is the same.

    If you have any ideas why this is happening please let me know, and if you are curious about anything feel free to ask.

    So far I’ve imaged more than 600 computers using FOG, and it saved me of a lot of trouble and the company a lot of money, so big thanks to the developers.


  • A quick Google came up with this thread. Perhaps it pertains to you?


  • I thought about this before, that the bzImage client actually pulls the image from the server, so that’s why I tried to mirror the client port as well, and still I got no result. I am guessing that Wireshark doesn’t know how to handle those packets, although they say that it does on that website. I cannot find another explanation, as I can see with exactly the same amount of traffic on the interface that the sniffer is connected to, as the amount of traffic on the interfaces of the server/client. I will try to find other sniffing apps and will post the results. Thank you very much for your prompt answer. At least now I know what kind of traffic I am looking for.

  • What you’re looking for is NFS traffic. I know Deploy makes it sound like it’s being pushed from the server to the client, but it’s actually a pull.