![]() I spend a healthy chunk of my typical work day analyzing network packet captures. My primary tool is Wireshark, which humbly presents itself as "The World's Most Popular Network Protocol Analyzer." (Seriously - if you aren't using Wireshark, go download it NOW.) Protocol analyzers are great for identifying typical "red flags" in packet data, but they're all limited to what the raw data might indicate customer network environments are so broad (and so varied) that the network engineer-especially one "on the outside looking in" with only a small data set-relies heavily on experience and intuition. One recent case was presented as "many failed connections," and a 6-minute packet capture soon landed in my lap. ![]() Now, every Wireshark user has their own approach I usually take advantage of Wireshark's display filters to get a general "feel" for the incidence of Layer 3/4 problems. With a typical capture file, I'll start with ,which simply tells Wireshark, "hey, show me what YOU think are TCP problems." Now, as I said, none of these tools are perfect, so take these results with a grain of salt they're only as good as are the underlying data, and it's very easy to collect inaccurate or incomplete data. Supersedes Out-Of-Order and Retransmission. Now, the complaint was very specific that new connections were failing no mention was made of existing connections being interrupted/terminated so, I went to Wireshark's Statistics->Conversations dialog and sorted on the "Packets" column to look for very short conversations and found HUNDREDS of conversations that only lasted for a few packets, like these: The resulting numbers were somewhat high, but I've seen worse.Īfter taking a look at the results of this display filter, I noticed what seemed an high number of TCP retransmissions, so I decided to see exactly which packets were being retransmitted with a different display filter, which will show me only those packets Wireshark believes to be TCP retransmissions. Make sure that the preference setting for this feature has been enabled: File: tcpretransmissionscolorfilter.txt Description: Show TCP Retransmissions and other interesting TCP events with easy to spot red background. So, the remote endpoint starts a conversation with a SYN packet and the local endpoint responds immediately, but we see the remote endpoint retransmitting its SYN packet within 10ms. This filter requires that the preference for Analyzing TCP Sequence numbers has been enabled, or else the filter will not work.
0 Comments
Leave a Reply. |