Wireshark mailing list archives
Re: TCP Delta question
From: <Tim.Poth () bentley com>
Date: Thu, 21 Aug 2014 17:28:53 +0000
The delta column is going to display the time from the last frame or the last in the same session or that is currently displayed (depending how you have it set). Seeing a large delta isn't an issue in its self, if it's a keep alive and you are looking at it from a session level, it makes sense. If you have a busy box and are looking at delta from last frame you may never see a large delta because the box is busy but if you move to delta conversation you may find you have a problem hidden but the other traffic. Based on what you have posted I'm not sure you have an issue and I don't think it advocates a tap in and of its self. Hope that helps From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Tom Simpson Sent: Thursday, August 21, 2014 10:56 AM To: wireshark-users () wireshark org Subject: [Wireshark-users] TCP Delta question I am looking at a trace file from a server and have a question. I am seeing a large TCP Delta in some of the packets and the source server is the machine I have Wireshark installed on. Here is one of the packets that shows the large Delta. I took a trace from the server on the other end and it shows a very small, what I expected it to be, Delta Time. Does this mean the server I am capturing on is possibly having an application issue of some sort? This was taken during a file transfer between the two; I copied Acrobat Reader from the fileserver to the terminal server. The transfer took a normal amount of time, so I am thinking this is some housekeeping process for M$AD. No. Time TCP Delta Source Destination Protocol Length Win Size Calc'd Win Size 41983 1408627378.013279 119.951789000 fileserver.mydomain.local terminalserver.mydomain.local TCP 55 64629 64629 [TCP Keep-Alive] microsoft-ds > 63239 [ACK] Seq=385 Ack=321 Win=64629 Len=1 This was a 1 byte keep alive which is what has me puzzled. I do see these same Delta times with similar traffic on some of our other servers on the network. Does this mean there is an issue in AD, or is this just one more reason to use a TAP for a packet capture instead of installing wireshark locally on the server? -- Thanks, Tom Simpson LAN/WAN Engineer Forcht Group of Kentucky 859.259.9700 x538 "We all knew there was just one way to improve our odds for survival: train, train, train. Sometimes, if your training is properly intense it will kill you. More often -- much, much more often -- it will save your life." - Richard Marcinko, former US Navy SEAL Team Commander ________________________________ CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Forcht Group IT, 2400 South Main Street, Corbin, Ky.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- TCP Delta question Tom Simpson (Aug 21)
- Re: TCP Delta question Tim.Poth (Aug 21)