I am trying to reconstruct a TCP conversation from the first SYN to the FIN in order to troubleshoot an application response issue. If I use "Follow TCP Stream" in Wireshark, it starts from the first packet captured always. It doesn't list time or number packets: it is very difficult to figure out I need to be able to select a SYN packet from with the capture and then see all subsequent packets in the exchange. I am specifically looking at times of response, because ACKs seem to be losing ground and transmissions are slowing. There must be an easier way to do this: any advice would be great. asked 04 Dec '12, 16:51  Silas1066 |
One Answer:
Follow TCP Stream is basically a forensic feature, while also doing the filtering for the specific TCP conversation you are interested in. I'd always recommend locating the SYN packet for the connection you're interested in, right-clicking on that SYN packet and then go for Conversation Filter -> TCP. This applies the same filter like follow TCP Steam does, without reconstructing payload data which in terms of network analysis should not be needed, except you're troubleshooting application issues within the layer +4 protocols. Then in the filtered conversation set the time-reference on the first packet which is your SYN and then your relative times are nicely readable for that specific conversation. Be sure to apply the coloumn delta time displayed as well to quickly lookup inter-packet timings -> this should fit your needs to analyse whats going on inside your TCP Session. answered 04 Dec '12, 22:44  Landi |
Landi:
If I select the SYN packet and go to Analyze-->Conversation Filter
I don't see anything in there except two "greyed out" options: PN-AO etc.
Am I in the right place?
@Silas1066: I converted your answer to a comment due to the rules of this Q&A site.
You right-click on the SYN packet right at where you spot in in the packet list and in the context menu you find Conversation Filter -> TCP