Re: TCP Delta question

[<Tim.Poth () bentley com>]

The delta column is going to display the time from the last frame or the last in the same session or that is currently 
displayed (depending how you have it set). Seeing a large delta isn't an issue in its self, if it's a keep alive and 
you are looking at it from a session level, it makes sense. If you have a busy box and are looking at delta from last 
frame you may never see a large delta because the box is busy but if you move to delta conversation you may find you 
have a problem hidden but the other traffic.
Based on what you have posted I'm not sure you have an issue and I don't think it advocates a tap in and of its self.
Hope that helps

From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Tom 
Simpson
Sent: Thursday, August 21, 2014 10:56 AM
To: wireshark-users () wireshark org
Subject: [Wireshark-users] TCP Delta question

I am looking at a trace file  from a server and have a question.

I am seeing a large TCP Delta in some of the packets and the source server is the machine I have Wireshark installed on.


Here is one of the packets that shows the large Delta.  I took a trace from the server on the other end and it shows a 
very small, what I expected it to be, Delta Time. Does this mean the server I am capturing on is possibly having an 
application issue of some sort? This was taken during a file transfer between the two; I copied Acrobat Reader from the 
fileserver to the terminal server. The transfer took a normal amount of time, so I am thinking this is some 
housekeeping process for M$AD.



No.     Time
TCP Delta  Source                Destination
Protocol Length Win Size   Calc'd Win Size
41983 1408627378.013279          119.951789000
fileserver.mydomain.local
terminalserver.mydomain.local
TCP       55     64629      64629       [TCP Keep-Alive] microsoft-ds > 63239 [ACK] Seq=385 Ack=321 Win=64629 Len=1


This was a 1 byte keep alive which is what has me puzzled. I do see these same Delta times with similar traffic on some 
of our other servers on the network.  Does this mean there is an issue in AD, or is this just one more reason to use a 
TAP for a packet capture instead of installing wireshark locally on the server?





--
Thanks,

Tom Simpson
LAN/WAN Engineer
Forcht Group of Kentucky
859.259.9700 x538

"We all knew there was just one way to improve our odds for survival:
train, train, train. Sometimes, if your training is properly intense it
will kill you. More often -- much, much more often -- it will save your
life."  - Richard Marcinko, former US Navy SEAL Team Commander

________________________________

CONFIDENTIALITY NOTICE:
This message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if 
you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or 
incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of e-mail transmission. If verification is required please request a 
hard-copy version.

Forcht Group IT, 2400 South Main Street, Corbin, Ky.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe