Re: FW: Merging files duplicate acks &retransmissions

["Keith French" <keithfrench () btconnect com>]

Hi Martin,
 
The "Compare" stat doesn't seem to make much difference other than halving the number of packets when you filter on one 
direction only. I would really like to see your documentation, when you have tried it. I'm sure that I don't fully 
understan the start & stop and info packet display numbering, once the compare has run.
 
Keith French.

________________________________

From: wireshark-users-bounces () wireshark org on behalf of Martin Visser
Sent: Thu 27/05/2010 23:02
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] FW: Merging files duplicate acks &retransmissions


> From reading http://wireshark.askapache.com/lists/wireshark-bugs/200806/msg00042.html it would seem you might be best 
> filtering traffic only coming from one direction before merging (It's a feature I might need to try out and document 
> properly. It would seem to be mostly useful for detecting dropped packets). 



Regards, Martin

MartinVisser99 () gmail com



On Fri, May 28, 2010 at 7:42 AM, Martin Visser <martinvisser99 () gmail com> wrote:


        If you merge two cap files of effectively  the same data you without doing any other pre-filtering you are 
going to have a lot of TCP segment pairs having the same SEQ and IP address/ports. Wireshark (as it emulates what a TCP 
would "think") will by definition interpret them as dups, windows updates and retransmissions depending on the order 
that the merge produces.  

        (I haven't seen the compare feature as yet so I am unsure whether you are doing this the right way)

        Regards, Martin
        
        MartinVisser99 () gmail com 



        On Thu, May 27, 2010 at 8:03 PM, Keith French <keithfrench () btconnect com> wrote:
        

                Sorry in my first email I forgot to state the mergecap syntax I was using. It is:-
                
                mergecap -F libpcap -w merged.pcap client.pcap server.pcap
                
                Where "client.pcap" & "server.pcap" are the traces from either end of the connection and "merged.pcap" 
is my resulting merged trace.
                
                Keith French.
                
                ________________________________
                
                From: Keith French
                Sent: Wed 26/05/2010 15:32
                
                To: wireshark-users () wireshark org
                
                Subject: Merging files duplicate acks & retransmissions
                


                I have two capture taken on two laptops at either end of a client/server scenario. I want to merge them 
to use later with the new compare feature on Wireshark's Statistics menu. Neither trace has any TCP analysis flags set, 
other than a few window size updates & 1 retransmission.
                
                However, when I merge them with Mergecap chronologically, I end up with about 400 TCP window size 
updates, duplicate acks & retransmissions etc.
                
                I have tried this on several different trace scenarios and get similar results. Why doe this happen?
                
                Keith French.
                ___________________________________________________________________________
                Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
                Archives:    http://www.wireshark.org/lists/wireshark-users
                Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

<<winmail.dat>>

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe