Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Synchronization of Simultaneous Capures

From: Kevin <masonke@xxxxxxxxx>
Date: Fri, 15 May 2009 06:57:28 -0700
Yes, the IPID would be the 1st place to start and a quick way to do that is to add a custom Column to the display with " ip.id " as the value.  In a long capture you will find the IPID repeating, so you will need to use the Seq and Ack # to figure out which is which, but the data set will be much smaller.  

You can then use Editcap to sync the times of the  2 traces.

Good luck!

~Kevin


On May 1, 2009, at 6:22 , Samson Martinez wrote:

Hello folks,
 
Apologies for the duplicate post – my subscription to this group was incorrect so I kept getting bounced back.
 
Thanks!
 
-Samson
 
**************
 
Hello all,
 
Thanks for the replies and sorry for the late reply - in the midst of tons of work and even forgot I started this thread... :(
 
This is for TCP traffic. In this case I was interested in traffic between a Solaris server and an Oracle database server. The server is continuously communicating with the DB on TCP 1523. The amount of traffic is immense and there has been performance degradation over the past few weeks. So I was in the midst of either eliminating or identifying the network infrastructure as the culprit.
 
I launched a capture on the server filtering on the DB IP and did the same on the DB except that I filtered on the server IP. Given the amount of data and the fact that this traffic has been ongoing forever there is no TCP SYN that I can match up on.
 
So, I thought that I could match up TCP sequence numbers across both traces to help me sync up the traces but, based on the Nagle algorithm comment, I guess this is not the case?
 
Time stamps in these types of traces is tough as well because of the amount of traffic as is the fact that many of these packets are similar in construction and payload.
 
Is the IP identification field a good way to do this or do I need a different type of tool?
 
I hesitate to attach capture files to this email as I'm still not up-to-speed on rules & regulations for this forum. I'll be happy to upload them to a different location if possible.
 
Again, many thanks!
 
-Samson
 
 
 
-----Original Message-----
Sent: Friday, April 24, 2009 4:06 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Simultaneous Captures - Matching Packets
 
Dear Samson,
 
On 24 Απρ 2009, at 7:50 ΜΜ, Guy Harris wrote:
 
> 
> On Apr 23, 2009, at 12:10 PM, Samson Martinez wrote:
> 
>> Brand-new subscriber to this user-list - long time user of Wireshark.
>> I've been trying to determine the easiest method for matching up
>> packets that have been simultaneously captured on two systems and I
>> thought, it appears erroneously, that all the info in the packets
>> would match, including sequence numbers, etc.
>> 
>> For example, I took simultaneous captures on two separate servers
>> (Solaris servers using snoop) and then loaded both files into
>> Wireshark to compare. I used the timestamps & IP Identification field
>> to match up packets. However, the sequence numbers don't match up. Is
>> this normal?
You are refering to TCP or UDP , multicast or unicast ?
 
Timestamps can only be used if your clocks on both systems are 
synchronised accuratelly. TCP sequence numbers are not the same due to 
the nagle algorithm.
 From what you are trying to do I guess it is a UDP stream that 
arrives from the same source to both servers. In this case you have to 
use higher level protocol headers in order to manage to match the 
packets. i.e if you use MGEN to generate traffic you can use the 
timestamp field that is inserted by the generator at source, and 
resides on the application protocol header, as a good matching filter.
 
If you can be more detailed in what you try to do, I may have a better 
suggestion.
 
BR
 
George
> 
> By "sequence numbers" are you referring to TCP sequence numbers, the
> numbers in the "No." column in the display, or some other sequence
> numbers?
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx
> >
 
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
 
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe