Re: Wireshark V1.8.0 - analysing dual NIC capture

[Tamás Varga <Tamas.Varga () ericsson com>]

Sounds to be a handy feature! Before advancing the idea, beware the use cases when it is useful and when it is not. 
From my former projects, I have collected some, see the examples below. My understanding is, that using the 
"frame.interface_id" field, one can filter and analyze packets without combination coming from multiple interfaces. 
/Tamas


Some use cases where combination is useful: 
- Dual-interface end hosts communicate over two Ethernet switches in load balancing mode. Packets of a TCP connection 
may be sent over both switches, thus combining packets from both switch port mirroring is a needed to have an entire 
TCP flow anaysis.
- In case of tapping optical links, you receive uplink and downlink packet stream in separately, obviously, 
recombination is also a need here.
- In 3GPP systems, where ATM is still in place, there the control-plane is sent over ATM/AAL5 and user-plane is 
conveyed in Ethernet/IP (or still over ATM). Combination of traces with different link layer framing is awkward 
complicated (without this 1.8.0 feature).

Some use cases where combination is not useful:
- For troubleshooting delay/loss problems, the traffic is captured "before" and "after" the box suspected. The packets 
of the same TCP connection appear twice, which are actually two different snapshots of the traffic.
- Similar to above, when in 3GPP core network, traffic of Iu,Gn,Gi interfaces is conveyed on the same switching 
infrastucture (via different VLAN). Thus the same user packet is present with different tunnel headers.




-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of 
Christopher Maynard
Sent: Friday, June 29, 2012 02:46
To: wireshark-users () wireshark org
Subject: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture

Jeff Morriss <jeff.morriss.ws@...> writes:

> On Tue, Jun 26, 2012 at 8:51 AM, Keith French <keithfrench@...> wrote:
> > Thanks for a really fantastic new release of Wireshark.
> >
> > I have been trying out Wireshark V1.8.0 capturing on 2 NICs 
> > simultaneously
using the .pcapng format.
> However, I am not really sure what I am expecting to see when 
> analysing the
trace.
> The main thing is that you can get packets from 2 interfaces at the 
> same time.  No other real changes.

Should other real changes be made?  For example, would it make sense to take into account the interface when performing 
reassembly, conversation tracking, etc?  I would think that in many (most?) cases, it wouldn't be very useful to try to 
mix/combine that type of analysis across interfaces.  I'm sure there could be cases where more than 1 interface could 
be used for an entire conversation (for example), so maybe have a preference to control whether the interface should or 
should not be taken into account?

- Chris




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe