This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

IP based transfer

0

Anyone have any ideas on analyzing a purely IP based transfer? I'm analyzing a trace file supposedly of a low throughput for replication over the WAN. The trace only show IP with no TCP so I'm not sure what flags to look for. I believe the customer is using a Brocade storage router.

Screenshot

alt text

asked 18 Nov '12, 09:52

ws2006's gravatar image

ws2006
1121214
accept rate: 0%

edited 18 Nov '12, 14:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

1

The field Protocol in the IP header indicates the next protocol what does it say in your case?

(18 Nov '12, 10:55) Anders ♦

see screenshots

(18 Nov '12, 13:39) ws2006

I added your screenshot to the question, as it's easier to read that way

(18 Nov '12, 14:16) Kurt Knochner ♦

One Answer:

1

As the Protocol: field says, Wireshark interprets the IP protocol number 61 as SHIM6 header, that used to be the "old IP number" for SHIM6.

After checking the code...

The code for Wireshark 1.8.0 contains a definition for IP protocol 61:

IP_PROTO_SHIM6_OLD, "SHIM6 header" }, / 61 any host internal protocol [Internet_Assigned_Numbers_Authority] /

This leads to the following conclusion:

  • The IP protocol used (61) is something vendor specific and that's why you cannot dissect it with Wireshark, even with the latest version.

So, what can you do:

  • Ask the vendor about the protocol used and if they provide a Wireshark dissector plugin for that protocol or any other tool to analyze the protocol.
  • Analyzing the traffic with Wireshark might help a bit. You can still look at the throughput (see Statistics and IO Graphs), but that's basically it. Without insight into the protocol, you will have a hard time to figure out the reason for the performance problems. After all, it could be the MPLS network itself or the local connection to the MPLS (local router / link).

Regards
Kurt

answered 18 Nov '12, 14:20

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Nov '12, 14:31

Thanks Kurt.

(18 Nov '12, 19:38) ws2006