Re: Identifying packets beyond proxies

["Ed Hoeffner" <hoeff001 () umn edu>]

Hi

 

You could ping one or both of the endpoints from the other to provide a reference point in each capture. Those packets 
will stand out…

 

Ed

 

From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of masonke
Sent: Thursday, April 02, 2015 3:52 PM
To: Julio Talaverano; Community support list for Wireshark
Subject: Re: [Wireshark-users] Identifying packets beyond proxies

 

To do what you want, I would first identify the flows using the 5-tuple (src/dst IP, src/dst port and protocol), then 
find the packets using the actual Seq / Ack number pair and if available, the timestamps. Relative numbers mean just 
that, relative to the capture. If you have the SYN from the session on all your captures, then relative frames should 
be enough. If you don’t, they you need the actual numbers.

Kevin Mason
~KEM

 

 

On Apr 2, 2015, at 10:22, Julio Talaverano <delaflota () yahoo com <mailto:delaflota () yahoo com> > wrote:

 

Hi,

 

I have to investigate on slow speed in the pick hours when our users surf the internet.

The first problem is that we use three proxies throughout our network (A, B and C) until the last one(C) connects 

to the web server through the last firewall.

The second problem is, we use the BitBox Enterprise solution which  means that any connections 

connect over a vpn to he BitBox gateway and then the traffic continues through the other proxies in clear 

which means I can't follow a connection from the initiating client.

 

My approach is to capture the traffic on all intermediate stations in  order to find out the RTTs of several http 
packets 

when they enter the proxy A (Ironport)  and when the same packet leaves the internet firewall.

If this time is too long then I try to find the bottleneck inside our network.

 

So I tried a few tests accessing some unusual pages just to be sure that they are not in any of the caches and no one 
else is 

accessing them while I'm testing.

 

My question is now how I can reliably identify a packet along the whole path(at any intermediate capturing device)?

Are the rel. SEQ# in Wireshark reliable enough? or at least a series of identical SEQs?

 

Or is there a better way to do that?

 

Thanks

Julio

 

 

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org <mailto:wireshark-users () wireshark org> >
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe