Wireshark-dev: [Wireshark-dev] seeking advice on how to reconcile two packet captures

From: Brian Reichert <reichert@xxxxxxxxxxx>
Date: Mon, 28 Aug 2023 11:21:52 -0400
This question isn't specific to Wireshark, but I couldn't find a
good forum.  By all means, I'm open to suggestions as to where it
would be more appropriate to ask about this.

Anyway:

I'm trying to automate the reconciliation of a pair of packet
captures of a TCP session.

This is sort of a combination of:

- reconstructing a TCP 'flow' as Wireshark currently does, and
- correlating an individual packet within one capture with packet(s)
  in the second capture.

The overall goal is to generate some insight on network latency.

I'm very close, but not close enough.

I naively though that I could 'just' chain sets of packets by
comparing absolute sequence numbers, and the respective ACK numbers.

But, given the example captures I have, this is proving to be not
adequate.

This is obviously an open-ended request for advice. I'd be happy
for any I can get, including a 'go ask there' suggestion.

Thanks!

-- 
Brian Reichert				<reichert@xxxxxxxxxxx>
BSD admin/developer at large