Ethereal-users: [Ethereal-users] Loading and analyzing multiple capture files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "mail.ag" <mail.ag@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Mar 2005 15:12:07 -0500
Greetings:
There have been a few threads in the past months concerning loading and analyzing multiple captures of the same traffic. See: 
http://www.ethereal.com/lists/ethereal-users/200503/msg00158.html
http://www.ethereal.com/lists/ethereal-users/200502/msg00026.html
http://www.ethereal.com/lists/ethereal-users/200412/msg00327.html
I wanted to restart and follow-up on this discussion by describing a problem I was trying to isolate by running multiple captures. 
I've got a VoIP trunk that runs entirely on a simple, 4 switch, layer 2 
network.  RTCP collector reported packet loss which was corroborated by 
user reports of poor quality.  The problem was intermittent and 
unreproducible.  My troubleshooting strategy was to run multiple, 
simultaneous captures and attempt to compare the files in order to 
isolate the problem.

Sounds easy, but as the above threads mentioned, there is no way to do 
this in ethereal, or as best I can tell any other tool.  The best thing 
I could come up with is to use tcptrace 
(http://jarok.cs.ohiou.edu/software/tcptrace/index.html) which has some 
rudimentary UDP analysis.  Attempting to correlate RTCP reported 
problems (which provided only the time of a problem and not extension 
pairs), user reports of problems, Q931 & H323 & H225 signaling 
information with UDP port number pairs proved to be nearly impossible 
given the high call volume.  I was able to use tcptrace when traffic was 
light (and we weren't having problems) just to prove the process worked, 
but clearly, this wont scale.

The ability to load multiple capture files of the same traffic for 
analysis would be invaluable for packet loss isolation, but would also 
be useful for many other types of analysis (as mentioned in one of the 
above threads, firewall troubleshooting.  If you want to get fancy, you 
could even consider propagation delay and jitter analysis, though the 
timing requirements may be a bit onerous (ntp doesn't have the 
resolution to do this, and commodity NICs may not timestamp correctly).

So, to summarize, I've found tcptrace to be of some use in analyzing 
multiple copies of the same traffic (for both tcp & udp), but would 
appreciate any insight others may have in how to handle these problems.


Thanks.

Andrew