This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

correlating traces

Hello, I need to correlate 2 separate traces, one taken on my network and the other on my client's network. There are packet drops and retransmissions in between our networks , with at least a half dozen of the client's switches/routers before my end-point router on the client's network. Is there an article/tutorial/youtube/Sharkfest presentation that can assist me? Thanks

compare_two_traces

asked 05 Dec '14, 13:59

IND
11●1●1●3
accept rate: 0%

One Answer:

Are they the same exact session captured at these two locations?

If so, one way would be

Zoom in on one session (eg: right-click and 'follow TCP session') in one trace file
Go to file -> 'export specified packets' and save it as its own capture file.
Do the same from the second trace you're comparing.
Open one of the session-specific capture files, and hit ctrl+shift+m to 'mark' all the packets in that trace.
Go to File -> Merge and merge the two traces together. Sort them chronologically (default)

From that, you should have an apples-to-apples comparison where two complete sets of the packets relating to that session are in one file, with one file's packets "marked" and the other's not. At this level you can (for example) right-click the IP ID field of an IP header and add it as a column, looking for any lack of duplicates. You could also look at the protocol stats with 'frame.marked==1' compared to '!frame.marked==1', or put those two into an IO graph and compare any criteria you want for these traces.

Could you possibly upload the trace files and post the URL (if the data isn't confidential)?: https://appliance.cloudshark.org/upload/

answered 05 Dec '14, 16:42

Quadratic
1.9k●6●9●28
accept rate: 13%

edited 05 Dec '14, 16:43

Thank you, let me work with your recommendation.Ivan

(06 Dec '14, 16:01) IND