Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FW: Merging files duplicate acks & retransmissions

From: Martin Visser <martinvisser99 () gmail com>
Date: Fri, 28 May 2010 08:02:18 +1000
From reading

http://wireshark.askapache.com/lists/wireshark-bugs/200806/msg00042.html it
would seem you might be best filtering traffic only coming from one
direction before merging (It's a feature I might need to try out and
document properly. It would seem to be mostly useful for detecting dropped
packets).



Regards, Martin

MartinVisser99 () gmail com


On Fri, May 28, 2010 at 7:42 AM, Martin Visser <martinvisser99 () gmail com>wrote:


If you merge two cap files of effectively  the same data you without doing
any other pre-filtering you are going to have a lot of TCP segment pairs
having the same SEQ and IP address/ports. Wireshark (as it emulates what a
TCP would "think") will by definition interpret them as dups, windows
updates and retransmissions depending on the order that the merge produces.

(I haven't seen the compare feature as yet so I am unsure whether you are
doing this the right way)

Regards, Martin

MartinVisser99 () gmail com



On Thu, May 27, 2010 at 8:03 PM, Keith French <keithfrench () btconnect com>wrote:


Sorry in my first email I forgot to state the mergecap syntax I was using.
It is:-

mergecap -F libpcap -w merged.pcap client.pcap server.pcap

Where "client.pcap" & "server.pcap" are the traces from either end of the
connection and "merged.pcap" is my resulting merged trace.

Keith French.

________________________________

From: Keith French
Sent: Wed 26/05/2010 15:32
To: wireshark-users () wireshark org
Subject: Merging files duplicate acks & retransmissions


I have two capture taken on two laptops at either end of a client/server
scenario. I want to merge them to use later with the new compare feature on
Wireshark's Statistics menu. Neither trace has any TCP analysis flags set,
other than a few window size updates & 1 retransmission.

However, when I merge them with Mergecap chronologically, I end up with
about 400 TCP window size updates, duplicate acks & retransmissions etc.

I have tried this on several different trace scenarios and get similar
results. Why doe this happen?

Keith French.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: