Hello, I know that out of order packets have been discussed many times, but I still think there should be some way to reorder packets based on sequence and ack numbers only to make it easier to see if all packets were sent and received, and then how many were retransmitted. Yes, looking at the FINs, the following ACKs, and RSTs can be a quick way to see if all packets were sent and received, but it is sometimes painfully difficult to go up and down looking at each packet's sequence and ack numbers. Tcpdumps from firewalls and loadbalancers are always saved out of order, and worse, the orders do not match each other. This makes large captures difficult to troubleshoot by having to ignore the Wireshark warning messages about previous segment lost and acking unseen segment. Then, look at each packet up and down trying to piece together what was sent and received. A wireshark menu option to reorder packets from the display filter based on sequence and ack numbers would be the best improvement ever. Thanks, Tom asked 08 Nov '15, 05:36 TomF |
One Answer:
I know that problem well and as you said, sometimes it makes troubleshooting harder.
You can add a column for the IP ID (ip.id) and/or SEQ (tcp.seq) and sort the capture file according to the values of one of these columns. It will break the 'flow' of a session (req/resp), but at least it will help to compare two capture files (taken on the firewall and/or the loadbalancer).
Please add a feature request to the Wireshark bug tracker. Regards answered 08 Nov '15, 07:55 Kurt Knochner ♦ Hello Kurt, Many thanks. Adding a column for Custom(tcp.seq) is a good workaround and will help. Thanks, Tom (08 Nov '15, 19:37) TomF good! Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up). (09 Nov '15, 14:47) Kurt Knochner ♦ |
Do you want to be able to save a pcap with out-of-order packets into a new pcap with the packets in order (timestamp of packets may not be in order as a result) and all retransmitted packets removed?