Solved

wireshark packet tracking

Posted on 2013-12-06
16
595 Views
Last Modified: 2013-12-21
I am capturing the packets with Wireshark on both ends of the WAN side. I am trying to track the packet when it comes to the other side. Is there anything within the packet that I can use to track my packet from the other side? Thanks
0
Comment
Question by:leblanc
16 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 39701007
I am not sure exactly what you are looking for but you can set display filters to see only a specific ip or mac address if that is what you are looking for.

For example to filter to see a single IP address, in the white box next to the word filter on the left above the packets, type in ip.addr==10.10.10.10 and hit apply to see only packets from that one address.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701061
What I meant was if a packet 1 on site A going to site B and I cam capturing the traffic in site B, which one of the packet is packet 1?
Packet 1 is just one of the packets for the communication between the client and the server (or between two IP addresses).
You can filter a specific IP address but how do you keep track of a specific packet within the conversation between two IP addresses.

I hope it makes sense. Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701385
If you are capturing both sides of a single TCP connection you should see the same thing on both side.

Anyway TCP uses sequence numbers, so you can compare sequence numbers.
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 125 total points
ID: 39701392
The conversations between two devices is a series of packets until the conversation ends. One packet will only tell you part of the conversation. When you run the trace filter between the two ip's you will get the list of packets. Looking at a single packet is like reading one sentence in an entire page of dialogue.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701571
Let's say there are many "topics" in a conversation. So tracking the beginning and the end of each topic will allow me to get the number of bytes and the duration for each "topic". That is what I am getting at.
I was trying to look for the sequence number of the packet on the other end and I could not find a match.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701696
Lets take a step back.  What higher level protocol are you trying to capture?

That is: http, cifs, telnet, ftp, ssh.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701722
http
0
 
LVL 57

Accepted Solution

by:
giltjr earned 375 total points
ID: 39701740
Sequence numbers should definitely be there and valid, HOWEVER, depending on various things you could still have problems.

It this a private WAN or is this over the Internet?

Do you see the real IP addresses, or is one side going through a firewall that may be doing many-to-one NAT for outbound traffic?

What you should be able to do is setup a display filter like:

ip.addr == x.x.x.x and (http.request or http.response)

Where x.x.x.x is the client side IP address.  The problem you may see is if the client is behind a proxy server or firewall that does many-to-one NAT then all connections will have the same IP address.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 1

Author Comment

by:leblanc
ID: 39701790
private WAN (MPLS).
I see the matching client and server IP addresses on both side.
I did setup the filter for the IP address:
- serve side filter (ip.addr==10.10.10.10). 10.10.10.10 is the client
- client side filter (ip.addr==10.10.20.1). 10.10.20.1 is the server.

There is no NAT involved,
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 375 total points
ID: 39701854
Without any NAT then you should be able to include the "and (http.request and http.response)"  he ip address filter and it will match up.

You might want to try:

((ip.src_host == 10.10.10.10 and ip.dst_host = 10.10.20.1) or  (ip.dst_host == 10.10.10.10 and ip.src_host = 10.10.20.1)) and (http.request or http.response)

This should display only traffic that is between both of those hosts and are http.requests or responses.

Is there something specific you are looking for?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701888
Yes. I am looking for the duration for a particular function. For example, when a user clicks on the Browse_Record button. I'd like to see how long it will take for the browser to display all the records on the client side.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 375 total points
ID: 39701898
Well, I don't think you will actually be able to see that in a packet trace.

Assuming that button causes a HTTP GET, or POST,

From the client side you will be able to see when the GET/POST was issued and when the last packet for that GET/POST was received.    You don't need to do any tracing on the server side, unless you want to see how much server and network overhead there is.

However, it takes time for the browser to render the page and you can't measure that with a packet trace.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701967
Yes. The button will trigger the GET and POST.  
"it takes time for the browser to render the page and you can't measure that with a packet trace. " Agree with this. That is why I need to look at the GET and POST.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701984
O.K. Again, all you need is from the client side, unless you are trying to isolate server and network time.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39702038
it is not obvious sometimes to see the beginning and the end of a GET or POST transaction.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39702052
Maybe I missing something.  Why do you say that?
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now