I am trying to isolate a network issue by using Wireshark. I am capturing packets from a PC using the dumpcap commands. I want to find out when a RDP session starts and stops. Using the dumpcap at a cmd prompt, I see Wireshark filling up the directory with .pcap files. After stopping the capture and using the filter tcp.port eq 3389, I can see the start of the RDP session. Let’s say the SYN is in file 1.pcap. Throughout file 1.pcap, I see ACKs, COTPs and TPKTs. However, when I review file 2.pcap, file 3.pcap, etc and use the same filter, no data displays. But I check file 20.pcap and apply the same filter, data appears! asked 27 Aug '15, 14:16  tjcreek55 |
One Answer:
Christin and Uli, Thanks for the comments. And yes, it is a possibility there was no data. But, I don't know. To further isolate this issue, I added two capture filters. Theses filters only captured frames from the host I am troubleshooting and where RDP. Example: dump cap "host 1.1.1.1" "port 3389" -i 1 -b files:10000 -b filesize:30000 c:\tjcreek55.pcap The capture filters eliminated the multiple .pcap files in the same minute. Additionally, did not have a lot of files filling up the hard drive. The files I had only contained the frames I really wanted to see. I could clearly see, follow, and track what was going on with the TCP session. Please note, you must use quotes around the capture filter. answered 31 Aug '15, 08:29 tjcreek55 |
How large are your trace file (GB) and how long (time) are they?
The trace files are 10Mb.
Also, there were at least two trace files in a minute.
Maybe there is just no data, because no packet has been send. Could that be?
As Christian said, maybe there was no data.
When you're working with multiple files (filesets) I recommend Jasper's great TraceWrangler tool (https://www.tracewrangler.com/). With it you can extract packets for a specific conversation spanning multiple files.