Ethereal-users: [Ethereal-users] Loading and analyzing multiple capture files

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "mail.ag" <mail.ag@xxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Mar 2005 15:12:07 -0500
Greetings:

There have been a few threads in the past months concerning loading and analyzing multiple captures of the same traffic. See:

http://www.ethereal.com/lists/ethereal-users/200503/msg00158.html
http://www.ethereal.com/lists/ethereal-users/200502/msg00026.html
http://www.ethereal.com/lists/ethereal-users/200412/msg00327.html

I wanted to restart and follow-up on this discussion by describing a problem I was trying to isolate by running multiple captures.

I've got a VoIP trunk that runs entirely on a simple, 4 switch, layer 2 network. RTCP collector reported packet loss which was corroborated by user reports of poor quality. The problem was intermittent and unreproducible. My troubleshooting strategy was to run multiple, simultaneous captures and attempt to compare the files in order to isolate the problem.

Sounds easy, but as the above threads mentioned, there is no way to do this in ethereal, or as best I can tell any other tool. The best thing I could come up with is to use tcptrace (http://jarok.cs.ohiou.edu/software/tcptrace/index.html) which has some rudimentary UDP analysis. Attempting to correlate RTCP reported problems (which provided only the time of a problem and not extension pairs), user reports of problems, Q931 & H323 & H225 signaling information with UDP port number pairs proved to be nearly impossible given the high call volume. I was able to use tcptrace when traffic was light (and we weren't having problems) just to prove the process worked, but clearly, this wont scale.

The ability to load multiple capture files of the same traffic for analysis would be invaluable for packet loss isolation, but would also be useful for many other types of analysis (as mentioned in one of the above threads, firewall troubleshooting. If you want to get fancy, you could even consider propagation delay and jitter analysis, though the timing requirements may be a bit onerous (ntp doesn't have the resolution to do this, and commodity NICs may not timestamp correctly).

So, to summarize, I've found tcptrace to be of some use in analyzing multiple copies of the same traffic (for both tcp & udp), but would appreciate any insight others may have in how to handle these problems.


Thanks.

Andrew