Re: Need help with analysis of two related captures

[Kurt Buff <kurt.buff () gmail com>]

I can share privately, certainly.

I've got a delta column added, and do see some big deltas (14s, 15s,
and even 75s and 83s and 94s (!)).

The firewalls we have don't have IDS/IPS capability, so that random
guess didn't hit the mark :).

I've got one of Laura Chappell's books and am working my way through
it, and also through a number of videos on youtube (what great
resources they are, too), but wanted to really nail this down for the
engineer, who's being a bit persnickety about it all.

Thanks,

Kurt

On Tue, Jun 3, 2014 at 1:17 PM,  <Tim.Poth () bentley com> wrote:
> Can you share the captures? If you can ask specific 'I don't understand this frame' question we might be able to help 
> but troubleshooting blind id kind of hard. There are a number of good wireshark 101 books if you have that kind of 
> time and a LOT of content on youtube. Sharkfest sharkfest.wireshark.org is just over a week away, no better place 
> than there to learn wireshark.
> In GENERAL out of order packets from AU wouldn't really surprise me, the resets are likely one side giving up, are 
> there a lot of retransmissions or huge time gaps before a reset? Adding a delta column to wireshark can be a huge 
> help when looking at that. Following the different streams might help you get a clearer view of whats up (clear some 
> noise). Did you capture icmp frames or JUST the port this app runs on? ICMP can give huge hints when things go off 
> the rails. Have you checked the firewall logs? Depending on the firewall have you tried excluding the traffic from 
> deep IPS / IDS checks (yea just guessing at random now).
>
> tim
>
> -----Original Message-----
> From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Kurt 
> Buff
> Sent: Tuesday, June 3, 2014 3:45 PM
> To: Community support list for Wireshark
> Subject: [Wireshark-users] Need help with analysis of two related captures
>
> All,
>
> I have an engineer developing a tool in our AU office. His work requires that a machine in the his office talk with 
> two machines in our US office.
>
> If one of the US machines fails to respond, the second machine is supposed to pick up the conversation.
>
> However, he's getting timeouts from both, randomly. I've got a tcpdump capture that he sent initially, and then a 
> pair that I captured of an event from firewalls at both ends, but as a relative newb at this kind of troubleshooting, 
> all I can see are a fair number of out of order packets and resets, and can't really tell him more than that.
>
> The captures are small (2k, 4k and 6k).
>
> I'd love to find a facility or help of some sort to get to the bottom of the problem, if I can.
>
> Can anyone point me to where I might find some help on analysing these?
>
> Kurt
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe