On Jul 14, 2008, at 9:01 AM, Fender, Brian wrote:
I'm trying to debug a problem where a small percentage of certain
HTTP transactions are being reset unexplainably. There is a load
balancer between the client and server performing source NAT, plus
other network devices along the route. I reproduced the problem
while capturing with tcpdump from the client, loadbalancer, and
server in parallel. I merged all three captures together and am
trying to isolate individual bad requests across all three
viewpoints. It seems that "Follow TCP Stream" only looks at ip and
port numbers,
I.e., it follows the TCP stream, defined by the endpoints of the TCP
connection.
so it only the portion of the transaction up to address translation.
Is there any way to isolate a transaction based on TCP sequence
numbers only (or any other reliable method you might know of)?
You can find all TCP packets with a given range of sequence numbers
with, for example:
tcp.seq >= 358236700 && tcp.seq <= 358236800
but that will, in effect, find only one side.