|
Hello folks, Apologies for the duplicate post – my subscription
to this group was incorrect so I kept getting bounced back. Thanks! -Samson ************** Hello all, Thanks for the replies and sorry for the late reply - in
the midst of tons of work and even forgot I started this thread... :( This is for TCP traffic. In this case I was interested in
traffic between a Solaris server and an Oracle database server. The server is
continuously communicating with the DB on TCP 1523. The amount of traffic is
immense and there has been performance degradation over the past few weeks. So
I was in the midst of either eliminating or identifying the network
infrastructure as the culprit. I launched a capture on the server filtering on the DB IP
and did the same on the DB except that I filtered on the server IP. Given the
amount of data and the fact that this traffic has been ongoing forever there is
no TCP SYN that I can match up on. So, I thought that I could match up TCP sequence numbers across
both traces to help me sync up the traces but, based on the Nagle algorithm
comment, I guess this is not the case? Time stamps in these types of traces is tough as well
because of the amount of traffic as is the fact that many of these packets are similar
in construction and payload. Is the IP identification field a good way to do this or
do I need a different type of tool? I hesitate to attach capture files to this email as I'm
still not up-to-speed on rules & regulations for this forum. I'll be happy
to upload them to a different location if possible. Again, many thanks! -Samson -----Original Message----- From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Xilouris George Sent: Friday, April 24, 2009 4:06 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Simultaneous Captures -
Matching Packets Dear Samson, On 24 Απρ 2009, at 7:50 ΜΜ, Guy
Harris wrote: > > On Apr 23, 2009, at 12:10 PM, Samson Martinez wrote: > >> Brand-new subscriber to this user-list - long
time user of Wireshark. >> I've been trying to determine the easiest method
for matching up >> packets that have been simultaneously captured
on two systems and I >> thought, it appears erroneously, that all the
info in the packets >> would match, including sequence numbers, etc. >> >> For example, I took simultaneous captures on two
separate servers >> (Solaris servers using snoop) and then loaded
both files into >> Wireshark to compare. I used the timestamps
& IP Identification field >> to match up packets. However, the sequence
numbers don't match up. Is >> this normal? You are refering to TCP or UDP , multicast or unicast ? Timestamps can only be used if your clocks on both
systems are synchronised accuratelly. TCP sequence numbers are not
the same due to the nagle algorithm. From what you are trying to do I guess it is a UDP
stream that arrives from the same source to both servers. In this
case you have to use higher level protocol headers in order to manage to
match the packets. i.e if you use MGEN to generate traffic you can
use the timestamp field that is inserted by the generator at
source, and resides on the application protocol header, as a good
matching filter. If you can be more detailed in what you try to do, I may
have a better suggestion. BR George > > By "sequence numbers" are you referring to
TCP sequence numbers, the > numbers in the "No." column in the
display, or some other sequence > numbers? > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx > > > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe |
Attachment:
PGP.sig
Description: PGP signature
- Follow-Ups:
- Prev by Date: Re: [Wireshark-users] Simultaneous Captures - Matching Packets
- Next by Date: Re: [Wireshark-users] Connection to Cluster IP thru VPN tunnel not working
- Previous by thread: Re: [Wireshark-users] Simultaneous Captures - Matching Packets
- Next by thread: Re: [Wireshark-users] Synchronization of Simultaneous Capures
- Index(es):