Solved

wireshark packet tracking

Posted on 2013-12-06
16
585 Views
Last Modified: 2013-12-21
I am capturing the packets with Wireshark on both ends of the WAN side. I am trying to track the packet when it comes to the other side. Is there anything within the packet that I can use to track my packet from the other side? Thanks
0
Comment
Question by:leblanc
16 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 39701007
I am not sure exactly what you are looking for but you can set display filters to see only a specific ip or mac address if that is what you are looking for.

For example to filter to see a single IP address, in the white box next to the word filter on the left above the packets, type in ip.addr==10.10.10.10 and hit apply to see only packets from that one address.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701061
What I meant was if a packet 1 on site A going to site B and I cam capturing the traffic in site B, which one of the packet is packet 1?
Packet 1 is just one of the packets for the communication between the client and the server (or between two IP addresses).
You can filter a specific IP address but how do you keep track of a specific packet within the conversation between two IP addresses.

I hope it makes sense. Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701385
If you are capturing both sides of a single TCP connection you should see the same thing on both side.

Anyway TCP uses sequence numbers, so you can compare sequence numbers.
0
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 125 total points
ID: 39701392
The conversations between two devices is a series of packets until the conversation ends. One packet will only tell you part of the conversation. When you run the trace filter between the two ip's you will get the list of packets. Looking at a single packet is like reading one sentence in an entire page of dialogue.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701571
Let's say there are many "topics" in a conversation. So tracking the beginning and the end of each topic will allow me to get the number of bytes and the duration for each "topic". That is what I am getting at.
I was trying to look for the sequence number of the packet on the other end and I could not find a match.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701696
Lets take a step back.  What higher level protocol are you trying to capture?

That is: http, cifs, telnet, ftp, ssh.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701722
http
0
 
LVL 57

Accepted Solution

by:
giltjr earned 375 total points
ID: 39701740
Sequence numbers should definitely be there and valid, HOWEVER, depending on various things you could still have problems.

It this a private WAN or is this over the Internet?

Do you see the real IP addresses, or is one side going through a firewall that may be doing many-to-one NAT for outbound traffic?

What you should be able to do is setup a display filter like:

ip.addr == x.x.x.x and (http.request or http.response)

Where x.x.x.x is the client side IP address.  The problem you may see is if the client is behind a proxy server or firewall that does many-to-one NAT then all connections will have the same IP address.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:leblanc
ID: 39701790
private WAN (MPLS).
I see the matching client and server IP addresses on both side.
I did setup the filter for the IP address:
- serve side filter (ip.addr==10.10.10.10). 10.10.10.10 is the client
- client side filter (ip.addr==10.10.20.1). 10.10.20.1 is the server.

There is no NAT involved,
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 375 total points
ID: 39701854
Without any NAT then you should be able to include the "and (http.request and http.response)"  he ip address filter and it will match up.

You might want to try:

((ip.src_host == 10.10.10.10 and ip.dst_host = 10.10.20.1) or  (ip.dst_host == 10.10.10.10 and ip.src_host = 10.10.20.1)) and (http.request or http.response)

This should display only traffic that is between both of those hosts and are http.requests or responses.

Is there something specific you are looking for?
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701888
Yes. I am looking for the duration for a particular function. For example, when a user clicks on the Browse_Record button. I'd like to see how long it will take for the browser to display all the records on the client side.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 375 total points
ID: 39701898
Well, I don't think you will actually be able to see that in a packet trace.

Assuming that button causes a HTTP GET, or POST,

From the client side you will be able to see when the GET/POST was issued and when the last packet for that GET/POST was received.    You don't need to do any tracing on the server side, unless you want to see how much server and network overhead there is.

However, it takes time for the browser to render the page and you can't measure that with a packet trace.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39701967
Yes. The button will trigger the GET and POST.  
"it takes time for the browser to render the page and you can't measure that with a packet trace. " Agree with this. That is why I need to look at the GET and POST.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39701984
O.K. Again, all you need is from the client side, unless you are trying to isolate server and network time.
0
 
LVL 1

Author Comment

by:leblanc
ID: 39702038
it is not obvious sometimes to see the beginning and the end of a GET or POST transaction.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 39702052
Maybe I missing something.  Why do you say that?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now