This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

merging captures with different Packet sizes

0

Hi people,

I have a capture from 2 endpoints. Dumpcap was running on both machines locally and one of the machines had TSO enabled so I see a lot of 9000 Packet lengths: In the other trace all offloading was disabled so I see 1460 everywhere.

I was trying to merge both ends into one file and remove the duplicates but editcap finds none (reasonably so I suppose) and i get a messy trace file with many false retransmissions etc. Is there a way around this or am I stuck with a: manually filtering the merged file or b: just opening wireshark 2 times and comparing by eye? Any help appreciated; the one packet out 7 ACKs back thing is driving me mad, especially when a packet gets lost...

asked 28 Jun '15, 13:24

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

Are they really "duplicates" though, considering they're completely different sizes? I mean the machine with the smaller ones might be missing a segment in the middle of other segments that comprise a single of the larger packets on the other machine. And the larger one is missing a lot of IP+TCP-layer header info of the smaller packet segments, which might or might not be important to the user. So the de-duplication logic would have to be pretty smart.

I think it would be better if mergecap let you specify that each file it's merging be stored as separate interfaces in pcapng file format - which supports distinguishing which of multiple interfaces a packet was on. That way they'd all be in the file but hopefully not considered duplicates. Of course that assumes wireshark won't detect "duplicates" across different interfaces as duplicates, but hopefully that's the case. (and if not, I'd consider it a bug, or at least reasonable to have an on/off setting for)

In theory, if your original captures were in pcapng format and were captured on different interface numbers, it should already correctly merge that information that today in the current mergecap version - so we could add a feature option to make mergecap explicitly do it just based on being different input files.

p.s. At last week's Sharkfest Robert Bullen presented a utility to remove duplicate packets, but I don't think that will help you because of the differing packet sizes due to TSO. (I didn't see Robert's presentation so I don't know that it won't address this use-case, but I'd be surprised if it did)

(28 Jun '15, 15:14) Hadriel

Is there a way around this or am I stuck with a: manually filtering the merged file or b: just opening wireshark 2 times and comparing by eye?

Well, that's the result if you capture on the host itself and you don't disable TCP offloading ;-) Depending on the kind of problem you are trying to solve, you can either disable TCP offloading on both sides or Follow TCP stream and compare the TCP stream data (not sure if that will help you).

(28 Jun '15, 17:04) Kurt Knochner ♦

HI Kurt, Yeah: I kinda gave up explaining that to people. OFFLOAD BAD.. The problem is, as is so often the case, that explaining to someone that they need to change settings on their NIC usually lands against a wall. After a lot of coffee and tears in my eyes I managed to cut my way through it all and noticed something wierd with SACK being ignored. Noticed funnily enough that MrEeede just answered a different thread with possibly the answer I am looking for (SRE Keeps Increasing. Will have a look today; is just really hard to cut through the multiple ACKS to see what is happening.

It's just as it is, annoying, but not a problem of Merging / cleaning. Thanks.

@Hadriel. Yeah, that was exactly the issue. and then SACK started playing around and the retransmissions were just killing the connection. The Mergecap explicit when it is seperate files, can that be a thing? :D

(29 Jun '15, 00:38) DarrenWright