Wireshark-users: Re: [Wireshark-users] Comparing packets

Date: Wed, 13 Jun 2007 08:31:21 -0500



I have found this filter to be useful, in some cases, for removing TCP
duplicates.
It is not perfect, by any means, but is a quick way to remove most cases of
duplicates.
The logic is this:
Remove the first TCP duplicate acknowledgement and remove any
retransmission that takes place in under 5 milliseconds.
The danger is that, if you truly do get any case of a real single duplicate
acknowledgement, it will be removed, but if you take this into account when
viewing the trace it is a small price to pay for a quick removal of
duplicates.
Of course, this will not take any action on UDP packets.


not (tcp.analysis.duplicate_ack_num == 1) and not (tcp.analysis.rto < .005)

Ed Staszko
Telecomm Analyst
Mutual of Omaha



                                                                           
             "Stephen Fisher"                                              
             <stephentfisher@y                                             
             ahoo.com>                                                  To 
             Sent by:                  "Community support list for         
             wireshark-users-b         Wireshark"                          
             ounces@wireshark.         <wireshark-users@xxxxxxxxxxxxx>     
             org                                                        cc 
                                                                           
                                                                   Subject 
             06/12/2007 06:51          Re: [Wireshark-users] Comparing     
             PM                        packets                             
                                                                           
                                                                           
             Please respond to                                             
                "Community                                                 
             support list for                                              
                Wireshark"                                                 
             <wireshark-users@                                             
              wireshark.org>                                               
                                                                           
                                                                           




On Wed, May 23, 2007 at 06:14:53PM +0100, Piers Kittel wrote:

> So, the computers were run at the same time to capture the packets
> going between device A and B.  I've got 2 files, like
> A-20070522-162040.gz and B-20070522-162040.gz.  I've merged the two,
> and filtered out the packets I'm not interested in.  Naturally, I see
> double of nearly all packets.  What I'm interested in is to find
> packets that failed to reach the other side, so I'd like to filter out
> all packets that arrived successfully - how do I do this?

> Packet 4 failed to arrive however.  How do I filter out Packets 1 and
> 2 but not 3?

There currently isn't a way to detect duplicate packets in Wireshark
that I know of.  What would be needed is some sort of duplicate
detection that compares the payload of each packet against each other
packet.  That would be computationally expensive, so it might be best
left as an option that you run one time, perhaps as part of the merge
captures process.  Would it work for you to simply be told which are
duplicates or would you prefer them to be displayed in the protocol tree
(by default the middle pane) and be filterable?  It would be best if you
could go to http://bugs.wireshark.org and submit a bug report requesting
this and mark it as an "enhancement request."  Thanks!


Steve

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



This e-mail and any files transmitted with it are confidential and are solely for the use of the addressee.  It may contain material that is legally privileged, proprietary or subject to copyright belonging to Mutual of Omaha Insurance Company and its affiliates, and it may be subject to protection under federal or state law.  If you are not the intended recipient, you are notified that any use of this material is strictly prohibited.  If you received this transmission in error, please contact the sender immediately by replying to this e-mail and delete the material from your system.  Mutual of Omaha Insurance Company may archive e-mails, which may be accessed by authorized persons and may be produced to other parties, including public authorities, in compliance with applicable laws.