This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture just the error

0

Hello There,

When I run a backup program, I see TCP connection getting re-established once in few days. System error code is 10053 and 10054. Capturing all the wireshark traces for these days might be a huge task. Can I run wireshark and set filter to capture packets only while TCP Reconnection occurs?

I know it is not that easy as I think because we need to capture packets before reconnection too to analyze the traces in detail.

So, in this scenario, what is the best practice to capture the traces? Should I run wireshark and monitor it until the next TCP reconnection occurs?

Any help with an example will be much helpful.

Thanks Santhosh

asked 23 Sep '14, 10:51

Santhosh%20Pallikara's gravatar image

Santhosh Pal...
11223
accept rate: 0%

Perhaps you can clarify exactly what you mean by "TCP Reconnnection". I'm not sure what you mean by that. Do you mean the TCP connection is broken, and a new one is established? If that's the case, there's quite a few ways you could handle this. The first one that comes to my mind is filter on packets where the SYN flag or the RST flag is set.

In situations where the problem is more likely related to the SYN/ACK/RST stuff, and not in the actual TCP data, you don't need to capture the entire packet. You only need to capture the L2-L4 headers, which can make your trace significantly smaller - helpful in situations with long-running traces. By default, my Linux tcpdump uses a snaplen of 64 bytes which is enough to capture the TCP header and below. You can adjust this parameter in Wireshark using the Edit Interfaces dialog box. dumpcap also has the -s switch.

There are other techniques to limit the size/number of your traces if you're concerned about size, such has rolling buffers and limiting the number of files. In Wireshark, these can be configured in the Capture Options dialog box.

(25 Sep '14, 05:58) smp

While running a backup, I get a message stating the TCP connetion has reestablished. I wanted to know why it got reestablished. Can you guide me on what flag I could use?

(25 Sep '14, 11:00) Santhosh Pal...

One Answer:

1

I think your best bet is to run dumpcap instead of Wireshark. If you need to capture for lengthy periods of time, consider using a ring buffer, limiting the size of each file by size and/or by time.

But yes, you should run dumpcap and monitor it until the next TCP reconnection occurs.

If you're running on Windows, you might want to take a look at a batch file I posted on the wireshark-users mailing list which, when used in combination with mailsend, can even send you an e-mail notification of when a particular capture event of interest occurs. The idea is that you wouldn't have to manually monitor the capturing to figure out when the event occurs, but instead you could be immediately notified whenever it does occur. It's possible to implement your own custom hooks as well. If you do decide to try it, just be sure to read the 2 follow-ups here and here.

answered 10 Oct '14, 07:52

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%