Wireshark-users: Re: [Wireshark-users] Simultaneous Captures - Matching Packets
From: "Samson Martinez" <samson@xxxxxxxxxx>
Date: Fri, 1 May 2009 07:19:28 -0500
Hello all, Any thoughts? Thanks! -Samson -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Samson Martinez Sent: Monday, April 27, 2009 4:25 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Simultaneous Captures - Matching Packets Hello all, Thanks for the replies and sorry for the late reply - in the midst of tons of work and even forgot I started this thread... :( This is for TCP traffic. In this case I was interested in traffic between a Solaris server and an Oracle database server. The server is continuously communicating with the DB on TCP 1523. The amount of traffic is immense and there has been performance degradation over the past few weeks. So I was in the midst of either eliminating or identifying the network infrastructure as the culprit. I launched a capture on the server filtering on the DB IP and did the same on the DB except that I filtered on the server IP. Given the amount of data and the fact that this traffic has been ongoing forever there is no TCP SYN that I can match up on. So, I thought that I could match up TCP sequence numbers across both traces to help me sync up the traces but, based on the Nagle algorithm comment, I guess this is not the case? Time stamps in these types of traces is tough as well because of the amount of traffic as is the fact that many of these packets are similar in construction and payload. Is the IP identification field a good way to do this or do I need a different type of tool? I hesitate to attach capture files to this email as I'm still not up-to-speed on rules & regulations for this forum. I'll be happy to upload them to a different location if possible. Again, many thanks! -Samson -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Xilouris George Sent: Friday, April 24, 2009 4:06 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Simultaneous Captures - Matching Packets Dear Samson, On 24 Απρ 2009, at 7:50 ΜΜ, Guy Harris wrote: > > On Apr 23, 2009, at 12:10 PM, Samson Martinez wrote: > >> Brand-new subscriber to this user-list - long time user of >> Wireshark. I've been trying to determine the easiest method for >> matching up packets that have been simultaneously captured on two >> systems and I thought, it appears erroneously, that all the info in >> the packets would match, including sequence numbers, etc. >> >> For example, I took simultaneous captures on two separate servers >> (Solaris servers using snoop) and then loaded both files into >> Wireshark to compare. I used the timestamps & IP Identification >> field to match up packets. However, the sequence numbers don't >> match >> up. Is this normal? You are refering to TCP or UDP , multicast or unicast ? Timestamps can only be used if your clocks on both systems are synchronised accuratelly. TCP sequence numbers are not the same due to the nagle algorithm. From what you are trying to do I guess it is a UDP stream that arrives from the same source to both servers. In this case you have to use higher level protocol headers in order to manage to match the packets. i.e if you use MGEN to generate traffic you can use the timestamp field that is inserted by the generator at source, and resides on the application protocol header, as a good matching filter. If you can be more detailed in what you try to do, I may have a better suggestion. BR George > > By "sequence numbers" are you referring to TCP sequence numbers, the > numbers in the "No." column in the display, or some other sequence > numbers? > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx > > > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
Attachment:
PGP.sig
Description: PGP signature
- Prev by Date: Re: [Wireshark-users] Save output into a file
- Next by Date: [Wireshark-users] Synchronization of Simultaneous Capures
- Previous by thread: Re: [Wireshark-users] Save output into a file
- Next by thread: [Wireshark-users] Synchronization of Simultaneous Capures
- Index(es):