Wireshark-users: Re: [Wireshark-users] Simultaneous Captures - Matching Packets

From: "Samson Martinez" <samson@xxxxxxxxxx>
Date: Fri, 1 May 2009 07:19:28 -0500
Hello all,

Any thoughts?

Thanks!

-Samson


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Samson Martinez
Sent: Monday, April 27, 2009 4:25 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Simultaneous Captures - Matching Packets

Hello all,

Thanks for the replies and sorry for the late reply - in the midst of tons of work and even forgot I started this thread... :(

This is for TCP traffic. In this case I was interested in traffic between a Solaris server and an Oracle database server. The server is continuously communicating with the DB on TCP 1523. The amount of traffic is immense and there has been performance degradation over the past few weeks. So I was in the midst of either eliminating or identifying the network infrastructure as the culprit.

I launched a capture on the server filtering on the DB IP and did the same on the DB except that I filtered on the server IP. Given the amount of data and the fact that this traffic has been ongoing forever there is no TCP SYN that I can match up on.

So, I thought that I could match up TCP sequence numbers across both traces to help me sync up the traces but, based on the Nagle algorithm comment, I guess this is not the case?

Time stamps in these types of traces is tough as well because of the amount of traffic as is the fact that many of these packets are similar in construction and payload. 

Is the IP identification field a good way to do this or do I need a different type of tool?

I hesitate to attach capture files to this email as I'm still not up-to-speed on rules & regulations for this forum. I'll be happy to upload them to a different location if possible.

Again, many thanks!

-Samson



-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Xilouris George
Sent: Friday, April 24, 2009 4:06 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Simultaneous Captures - Matching Packets

Dear Samson,

On 24 Απρ 2009, at 7:50 ΜΜ, Guy Harris wrote:

>
> On Apr 23, 2009, at 12:10 PM, Samson Martinez wrote:
>
>> Brand-new subscriber to this user-list - long time user of
>> Wireshark. I've been trying to determine the easiest method for
>> matching up packets that have been simultaneously captured on two
>> systems and I thought, it appears erroneously, that all the info in
>> the packets would match, including sequence numbers, etc.
>>
>> For example, I took simultaneous captures on two separate servers
>> (Solaris servers using snoop) and then loaded both files into
>> Wireshark to compare. I used the timestamps & IP Identification
>> field to match up packets. However, the sequence numbers don't  
>> match
>> up. Is this normal?
You are refering to TCP or UDP , multicast or unicast ?

Timestamps can only be used if your clocks on both systems are  
synchronised accuratelly. TCP sequence numbers are not the same due to  
the nagle algorithm.
 From what you are trying to do I guess it is a UDP stream that  
arrives from the same source to both servers. In this case you have to  
use higher level protocol headers in order to manage to match the  
packets. i.e if you use MGEN to generate traffic you can use the  
timestamp field that is inserted by the generator at source, and  
resides on the application protocol header, as a good matching filter.

If you can be more detailed in what you try to do, I may have a better  
suggestion.

BR

George
>
> By "sequence numbers" are you referring to TCP sequence numbers, the
> numbers in the "No." column in the display, or some other sequence
> numbers?
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx 
> >
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Attachment: PGP.sig
Description: PGP signature