Dear Samson,
On 24 Απρ 2009, at 7:50 ΜΜ, Guy Harris wrote:
On Apr 23, 2009, at 12:10 PM, Samson Martinez wrote:
Brand-new subscriber to this user-list – long time user of
Wireshark. I’ve been trying to determine the easiest method for
matching up packets that have been simultaneously captured on two
systems and I thought, it appears erroneously, that all the info in
the packets would match, including sequence numbers, etc.
For example, I took simultaneous captures on two separate servers
(Solaris servers using snoop) and then loaded both files into
Wireshark to compare. I used the timestamps & IP Identification
field to match up packets. However, the sequence numbers don’t
match
up. Is this normal?
You are refering to TCP or UDP , multicast or unicast ?
Timestamps can only be used if your clocks on both systems are
synchronised accuratelly. TCP sequence numbers are not the same due to
the nagle algorithm.
From what you are trying to do I guess it is a UDP stream that
arrives from the same source to both servers. In this case you have to
use higher level protocol headers in order to manage to match the
packets. i.e if you use MGEN to generate traffic you can use the
timestamp field that is inserted by the generator at source, and
resides on the application protocol header, as a good matching filter.
If you can be more detailed in what you try to do, I may have a better
suggestion.
BR
George
By "sequence numbers" are you referring to TCP sequence numbers, the
numbers in the "No." column in the display, or some other sequence
numbers?
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx
>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
