[<Tim.Poth@xxxxxxxxxxx>]

The delta column is going to display the time from the last frame or the last in the same session or that is currently displayed (depending how you have it set). Seeing a large delta isn’t an issue in its self, if it’s a keep alive and you are looking at it from a session level, it makes sense. If you have a busy box and are looking at delta from last frame you may never see a large delta because the box is busy but if you move to delta conversation you may find you have a problem hidden but the other traffic.

Based on what you have posted I’m not sure you have an issue and I don’t think it advocates a tap in and of its self.

Hope that helps

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Tom Simpson
Sent: Thursday, August 21, 2014 10:56 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] TCP Delta question

 

I am looking at a trace file  from a server and have a question.

 

I am seeing a large TCP Delta in some of the packets and the source server is the machine I have Wireshark installed on. 

 

 

Here is one of the packets that shows the large Delta.  I took a trace from the server on the other end and it shows a very small, what I expected it to be, Delta Time. Does this mean the server I am capturing on is possibly having an application issue of some sort? This was taken during a file transfer between the two; I copied Acrobat Reader from the fileserver to the terminal server. The transfer took a normal amount of time, so I am thinking this is some housekeeping process for M$AD. 

 

 

 

No.     Time                      

TCP Delta  Source                Destination          

Protocol Length Win Size   Calc'd Win Size 

41983 1408627378.013279          119.951789000

fileserver.mydomain.local

terminalserver.mydomain.local

TCP       55     64629      64629       [TCP Keep-Alive] microsoft-ds > 63239 [ACK] Seq=385 Ack=321 Win=64629 Len=1

 

 

This was a 1 byte keep alive which is what has me puzzled. I do see these same Delta times with similar traffic on some of our other servers on the network.  Does this mean there is an issue in AD, or is this just one more reason to use a TAP for a packet capture instead of installing wireshark locally on the server?

 

 

 

 

 

-- 

Thanks,

 

Tom Simpson

LAN/WAN Engineer

Forcht Group of Kentucky

859.259.9700 x538

 

"We all knew there was just one way to improve our odds for survival:

train, train, train. Sometimes, if your training is properly intense it

will kill you. More often -- much, much more often -- it will save your

life."  - Richard Marcinko, former US Navy SEAL Team Commander

 

---

CONFIDENTIALITY NOTICE:
This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

Forcht Group IT, 2400 South Main Street, Corbin, Ky.