Wireshark-users: Re: [Wireshark-users] Need help with analysis of two related captures

From: Kurt Buff <kurt.buff@xxxxxxxxx>
Date: Tue, 3 Jun 2014 13:31:47 -0700
I can share privately, certainly.

I've got a delta column added, and do see some big deltas (14s, 15s,
and even 75s and 83s and 94s (!)).

The firewalls we have don't have IDS/IPS capability, so that random
guess didn't hit the mark :).

I've got one of Laura Chappell's books and am working my way through
it, and also through a number of videos on youtube (what great
resources they are, too), but wanted to really nail this down for the
engineer, who's being a bit persnickety about it all.

Thanks,

Kurt

On Tue, Jun 3, 2014 at 1:17 PM,  <Tim.Poth@xxxxxxxxxxx> wrote:
> Can you share the captures? If you can ask specific 'I don't understand this frame' question we might be able to help but troubleshooting blind id kind of hard. There are a number of good wireshark 101 books if you have that kind of time and a LOT of content on youtube. Sharkfest sharkfest.wireshark.org is just over a week away, no better place than there to learn wireshark.
> In GENERAL out of order packets from AU wouldn't really surprise me, the resets are likely one side giving up, are there a lot of retransmissions or huge time gaps before a reset? Adding a delta column to wireshark can be a huge help when looking at that. Following the different streams might help you get a clearer view of whats up (clear some noise). Did you capture icmp frames or JUST the port this app runs on? ICMP can give huge hints when things go off the rails. Have you checked the firewall logs? Depending on the firewall have you tried excluding the traffic from deep IPS / IDS checks (yea just guessing at random now).
>
> tim
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Kurt Buff
> Sent: Tuesday, June 3, 2014 3:45 PM
> To: Community support list for Wireshark
> Subject: [Wireshark-users] Need help with analysis of two related captures
>
> All,
>
> I have an engineer developing a tool in our AU office. His work requires that a machine in the his office talk with two machines in our US office.
>
> If one of the US machines fails to respond, the second machine is supposed to pick up the conversation.
>
> However, he's getting timeouts from both, randomly. I've got a tcpdump capture that he sent initially, and then a pair that I captured of an event from firewalls at both ends, but as a relative newb at this kind of troubleshooting, all I can see are a fair number of out of order packets and resets, and can't really tell him more than that.
>
> The captures are small (2k, 4k and 6k).
>
> I'd love to find a facility or help of some sort to get to the bottom of the problem, if I can.
>
> Can anyone point me to where I might find some help on analysing these?
>
> Kurt
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe