• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 668
  • Last Modified:

wireshark packet tracking

I am capturing the packets with Wireshark on both ends of the WAN side. I am trying to track the packet when it comes to the other side. Is there anything within the packet that I can use to track my packet from the other side? Thanks
0
leblanc
Asked:
leblanc
4 Solutions
 
Rick_O_ShayCommented:
I am not sure exactly what you are looking for but you can set display filters to see only a specific ip or mac address if that is what you are looking for.

For example to filter to see a single IP address, in the white box next to the word filter on the left above the packets, type in ip.addr==10.10.10.10 and hit apply to see only packets from that one address.
0
 
leblancAccountingAuthor Commented:
What I meant was if a packet 1 on site A going to site B and I cam capturing the traffic in site B, which one of the packet is packet 1?
Packet 1 is just one of the packets for the communication between the client and the server (or between two IP addresses).
You can filter a specific IP address but how do you keep track of a specific packet within the conversation between two IP addresses.

I hope it makes sense. Thanks
0
 
giltjrCommented:
If you are capturing both sides of a single TCP connection you should see the same thing on both side.

Anyway TCP uses sequence numbers, so you can compare sequence numbers.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
SouljaCommented:
The conversations between two devices is a series of packets until the conversation ends. One packet will only tell you part of the conversation. When you run the trace filter between the two ip's you will get the list of packets. Looking at a single packet is like reading one sentence in an entire page of dialogue.
0
 
leblancAccountingAuthor Commented:
Let's say there are many "topics" in a conversation. So tracking the beginning and the end of each topic will allow me to get the number of bytes and the duration for each "topic". That is what I am getting at.
I was trying to look for the sequence number of the packet on the other end and I could not find a match.
0
 
giltjrCommented:
Lets take a step back.  What higher level protocol are you trying to capture?

That is: http, cifs, telnet, ftp, ssh.
0
 
leblancAccountingAuthor Commented:
http
0
 
giltjrCommented:
Sequence numbers should definitely be there and valid, HOWEVER, depending on various things you could still have problems.

It this a private WAN or is this over the Internet?

Do you see the real IP addresses, or is one side going through a firewall that may be doing many-to-one NAT for outbound traffic?

What you should be able to do is setup a display filter like:

ip.addr == x.x.x.x and (http.request or http.response)

Where x.x.x.x is the client side IP address.  The problem you may see is if the client is behind a proxy server or firewall that does many-to-one NAT then all connections will have the same IP address.
0
 
leblancAccountingAuthor Commented:
private WAN (MPLS).
I see the matching client and server IP addresses on both side.
I did setup the filter for the IP address:
- serve side filter (ip.addr==10.10.10.10). 10.10.10.10 is the client
- client side filter (ip.addr==10.10.20.1). 10.10.20.1 is the server.

There is no NAT involved,
0
 
giltjrCommented:
Without any NAT then you should be able to include the "and (http.request and http.response)"  he ip address filter and it will match up.

You might want to try:

((ip.src_host == 10.10.10.10 and ip.dst_host = 10.10.20.1) or  (ip.dst_host == 10.10.10.10 and ip.src_host = 10.10.20.1)) and (http.request or http.response)

This should display only traffic that is between both of those hosts and are http.requests or responses.

Is there something specific you are looking for?
0
 
leblancAccountingAuthor Commented:
Yes. I am looking for the duration for a particular function. For example, when a user clicks on the Browse_Record button. I'd like to see how long it will take for the browser to display all the records on the client side.
0
 
giltjrCommented:
Well, I don't think you will actually be able to see that in a packet trace.

Assuming that button causes a HTTP GET, or POST,

From the client side you will be able to see when the GET/POST was issued and when the last packet for that GET/POST was received.    You don't need to do any tracing on the server side, unless you want to see how much server and network overhead there is.

However, it takes time for the browser to render the page and you can't measure that with a packet trace.
0
 
leblancAccountingAuthor Commented:
Yes. The button will trigger the GET and POST.  
"it takes time for the browser to render the page and you can't measure that with a packet trace. " Agree with this. That is why I need to look at the GET and POST.
0
 
giltjrCommented:
O.K. Again, all you need is from the client side, unless you are trying to isolate server and network time.
0
 
leblancAccountingAuthor Commented:
it is not obvious sometimes to see the beginning and the end of a GET or POST transaction.
0
 
giltjrCommented:
Maybe I missing something.  Why do you say that?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now