Wireshark-users: Re: [Wireshark-users] match packets at sender and receiver

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Tue, 6 Apr 2010 21:45:55 +0900
Hi Ian,

Thank you for your reply.

> How many point samples do you need?  How many comparisons are you making?

I want to make an average for every second. The cap-files come from
another department, but their should be many packets a second.

>
> If it's just a handful, what's wrong with the manual approach?  Just
> locate a few matching packets in each capture (with TCP, *start* by
> just searching the second capture for some TCP sequence number in the
> first, which are likely to be unique within each capture unless it's
> quite large), and, well, compare their timestamps.  It shouldn't take
> more than a minute, tops, per comparison you're doing.

I have to do this for many cap files, for many different machines, on
many platforms, at many occasions.


>
> Or if you're a shell scripter and have some control over the traffic
> in your sample captures, perhaps generate your own unique traffic -
> some "ping" with a unique data pattern, maybe.  Then use tshark+some
> filtering, extract the timestamps using a shell script, and do a
> little work to compare and print the time deltas between the systems.

I am using now libcap to read the packets. For starters, I am
interested in all IP packets.


> Do you have more details on the testing you're trying to do; how much
> control you have over conditions (can you generate your own unique
> traffic between each host during a given test?), etc?  That'd help
> with giving you some technique ideas.

I have practically no control over the environment, because it is
different all the time.

>
>
> Remember that if you're using the traffic captures to compare time,
> though, then any network latency will make your comparison less
> accurate.
>

Yes that is another issue. For starters, I would like to match packets
on both end of the connection (I know the IP address of both ends).
Then, compare timestamps and somehow estimate and subtract the
latency. But the latency is another topic, I will accept the
accuracy-penalty for now.

What I would like to know is how to match packets on both ends of the
line, provided that I have the IP numbers. Are there any unique packet
identifiers that appear in the cap-files on both ends? What should I
use? For example, when I study the cap-file in Wireshark, I see under
"Internet Protocol" an "Identification" number that seems to be
incremented for packets over the same connection (or conversation?).
Is this Identification number generated by Wireshark or is it really
in the packet headers? Does it appear in both cap files? In that case,
I could use a tuple <IP, Identification> to match packets on both
ends.

Or is there a better way?

Thank you,
Andrej