ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: [Wireshark-dev] Something that would be useful in Wireshark when dealing with dr

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Richard Sharpe <realrichardsharpe@xxxxxxxxx>
Date: Sun, 30 Dec 2018 18:58:05 -0800
Hi folks,

I recently had to perform some surgery on a packet capture that had
dropped packets.

I was capturing a GbE link that was operating at capacity and a few
packets were dropped in the area I was interested in.

I was chasing the reason that the current Mac OS X smbfs would
disconnect from the server on some occasions.

I was interested in the SMB headers and had no interest in the data
carried in SMB writes or reads, and fortunately, none of the dropped
packets in the area I was interested in covered SMB headers.

Using wireedit, mergecap and Wireshark's ability to export packets
from a point in the capture I was able to put together a new capture
that showed me all the SMB info, by:

1. Exporting a singe frame where the NetBIOS/SMB header was in the
middle of a TCP segment,
2. Remove the portion from before the NetBIOS header and adjust the
sequence number (that is, essentially split the segment into two),
3. Merge the adjusted packet with the packets from after its position
in the capture,
4. Make up the missing few packets/segments by saving the packet from
before the missing segment, duplicating the data and adjusting the
sequence numbers.

This worked quite well and I was able to determine that the Mac OS X
smbfs was sometimes not sending an SMB request and thus causing
crediting issues.

That lead me to think of the following changes that would be useful:

1. It would be useful to have a right-mouse-button menu item that
allows you to split a frame into two TCP segments at the point where
the mouse is pointing.

This would possibly allow Wireshark to correctly dissect the data
starting at that point, especially if you save the capture from the
new frame forward.

2. It would also be useful if you could tell Wireshark: Please insert
a TCP segment with random data to cover the missing segments that it
so conveniently warns you about.

Perhaps these could be handled by adding some sort of pcap-ng
annotation to the frames specifying additional actions.

Anyway, can anyone think of other ways to achieve what I want and
other ideas like these?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube