Retransmissions from 165.166.8.60 to 10.1.0.13 tell us that packets were lost in that direction and are being re-sent.Analyzing each in detail would take another post, but the key points are this: The Black and Red highlighted packets have been flagged by Wireshark as indicating a breakdown in the TCP process. We’re looking for Problems, and there’s a quick display filter to display interesting TCP packets in wireshark: So, we go to File > Export Specified Packets and make sure that the column selected for All packets is Displayed: If we did not, then every display filter change would have to be run against all of the packets in the capture, and that can be a very slow process. In order to save time going forward, we’re going to export this stream only to a new file and work from that file. The number 12 has no inherent significance in the packets, it’s simply the 12th TCP stream that wireshark detected in the entire capture. Note, Wireshark has already isolated the stream for us by applying the display filter tcp.stream eq 12. Since we don’t need to analyze the payload of the TCP traffic, we can just close this window, and the Conversations window behind it. In this case, we see a regular pattern of characters – yet further evidence that this is the speed test traffic. If this were an HTML page get, we’d see the source text for the page.
Wireshark shows us the decoded output of the TCP stream. With that settled, we click on the top conversation and then click the Follow Stream button:
That’s fairly solid evidence that this IP is our source. OK, our top hits are almost all from the same server, and the owner of that server per is the major ISP Sprint. We still have some 66 conversations to sift through, and we don’t know what the Server IP is, but we DO know that whatever it is it has to be sending 10.1.0.13 a lot of traffic, so we sort by “ Packets” and see what comes up: Already we’ve narrowed down the L4 protocol to TCP, however, because the UDP tab is grayed out – indicating that there are no UDP conversations. source and destination MAC address pairs. The first window that pops up will show us all of the Layer 2 conversations – i.e. The customer reports downloads of Conversation menu: The Wireshark ‘conversations’ tool allows you to quickly hone in on specific traffic flows, often if you only know only some of the identifying information.
0 kommentar(er)
