Wireshark-users: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
Sounds to be a handy feature! Before advancing the idea, beware the use cases when it is useful and when it is not. From my former projects, I have collected some, see the examples below. My understanding is, that using the "frame.interface_id" field, one can filter and analyze packets without combination coming from multiple interfaces.
/Tamas
Some use cases where combination is useful:
- Dual-interface end hosts communicate over two Ethernet switches in load balancing mode. Packets of a TCP connection may be sent over both switches, thus combining packets from both switch port mirroring is a needed to have an entire TCP flow anaysis.
- In case of tapping optical links, you receive uplink and downlink packet stream in separately, obviously, recombination is also a need here.
- In 3GPP systems, where ATM is still in place, there the control-plane is sent over ATM/AAL5 and user-plane is conveyed in Ethernet/IP (or still over ATM). Combination of traces with different link layer framing is awkward complicated (without this 1.8.0 feature).
Some use cases where combination is not useful:
- For troubleshooting delay/loss problems, the traffic is captured "before" and "after" the box suspected. The packets of the same TCP connection appear twice, which are actually two different snapshots of the traffic.
- Similar to above, when in 3GPP core network, traffic of Iu,Gn,Gi interfaces is conveyed on the same switching infrastucture (via different VLAN). Thus the same user packet is present with different tunnel headers.
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Christopher Maynard
Sent: Friday, June 29, 2012 02:46
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
Jeff Morriss <jeff.morriss.ws@...> writes:
> On Tue, Jun 26, 2012 at 8:51 AM, Keith French <keithfrench@...> wrote:
> > Thanks for a really fantastic new release of Wireshark.
> >
> > I have been trying out Wireshark V1.8.0 capturing on 2 NICs
> > simultaneously
using the .pcapng format.
> However, I am not really sure what I am expecting to see when
> analysing the
trace.
>
> The main thing is that you can get packets from 2 interfaces at the
> same time. No other real changes.
Should other real changes be made? For example, would it make sense to take into account the interface when performing reassembly, conversation tracking, etc? I would think that in many (most?) cases, it wouldn't be very useful to try to mix/combine that type of analysis across interfaces. I'm sure there could be cases where more than 1 interface could be used for an entire conversation (for example), so maybe have a preference to control whether the interface should or should not be taken into account?
- Chris
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe