Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

wireshark packet tracking

Posted on 2013-12-06
16
Medium Priority
?
661 Views
Last Modified: 2013-12-21
I am capturing the packets with Wireshark on both ends of the WAN side. I am trying to track the packet when it comes to the other side. Is there anything within the packet that I can use to track my packet from the other side? Thanks
0
Comment
Question by:leblanc
16 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 39701007
I am not sure exactly what you are looking for but you can set display filters to see only a specific ip or mac address if that is what you are looking for.

For example to filter to see a single IP address, in the white box next to the word filter on the left above the packets, type in ip.addr==10.10.10.10 and hit apply to see only packets from that one address.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701061
What I meant was if a packet 1 on site A going to site B and I cam capturing the traffic in site B, which one of the packet is packet 1?
Packet 1 is just one of the packets for the communication between the client and the server (or between two IP addresses).
You can filter a specific IP address but how do you keep track of a specific packet within the conversation between two IP addresses.

I hope it makes sense. Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701385
If you are capturing both sides of a single TCP connection you should see the same thing on both side.

Anyway TCP uses sequence numbers, so you can compare sequence numbers.
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 500 total points
ID: 39701392
The conversations between two devices is a series of packets until the conversation ends. One packet will only tell you part of the conversation. When you run the trace filter between the two ip's you will get the list of packets. Looking at a single packet is like reading one sentence in an entire page of dialogue.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701571
Let's say there are many "topics" in a conversation. So tracking the beginning and the end of each topic will allow me to get the number of bytes and the duration for each "topic". That is what I am getting at.
I was trying to look for the sequence number of the packet on the other end and I could not find a match.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701696
Lets take a step back.  What higher level protocol are you trying to capture?

That is: http, cifs, telnet, ftp, ssh.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701722
http
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1500 total points
ID: 39701740
Sequence numbers should definitely be there and valid, HOWEVER, depending on various things you could still have problems.

It this a private WAN or is this over the Internet?

Do you see the real IP addresses, or is one side going through a firewall that may be doing many-to-one NAT for outbound traffic?

What you should be able to do is setup a display filter like:

ip.addr == x.x.x.x and (http.request or http.response)

Where x.x.x.x is the client side IP address.  The problem you may see is if the client is behind a proxy server or firewall that does many-to-one NAT then all connections will have the same IP address.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701790
private WAN (MPLS).
I see the matching client and server IP addresses on both side.
I did setup the filter for the IP address:
- serve side filter (ip.addr==10.10.10.10). 10.10.10.10 is the client
- client side filter (ip.addr==10.10.20.1). 10.10.20.1 is the server.

There is no NAT involved,
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1500 total points
ID: 39701854
Without any NAT then you should be able to include the "and (http.request and http.response)"  he ip address filter and it will match up.

You might want to try:

((ip.src_host == 10.10.10.10 and ip.dst_host = 10.10.20.1) or  (ip.dst_host == 10.10.10.10 and ip.src_host = 10.10.20.1)) and (http.request or http.response)

This should display only traffic that is between both of those hosts and are http.requests or responses.

Is there something specific you are looking for?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701888
Yes. I am looking for the duration for a particular function. For example, when a user clicks on the Browse_Record button. I'd like to see how long it will take for the browser to display all the records on the client side.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 1500 total points
ID: 39701898
Well, I don't think you will actually be able to see that in a packet trace.

Assuming that button causes a HTTP GET, or POST,

From the client side you will be able to see when the GET/POST was issued and when the last packet for that GET/POST was received.    You don't need to do any tracing on the server side, unless you want to see how much server and network overhead there is.

However, it takes time for the browser to render the page and you can't measure that with a packet trace.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701967
Yes. The button will trigger the GET and POST.  
"it takes time for the browser to render the page and you can't measure that with a packet trace. " Agree with this. That is why I need to look at the GET and POST.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701984
O.K. Again, all you need is from the client side, unless you are trying to isolate server and network time.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39702038
it is not obvious sometimes to see the beginning and the end of a GET or POST transaction.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39702052
Maybe I missing something.  Why do you say that?
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
In this article, we’ll look at how to deploy ProxySQL.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question