Hi all i am very new to WireShark (first time i have run and produced a packet capture)so any help would be much appreciated. I have a client on windows 7 pc, who is getting disconnected from the shared drive windows server 2008. I ran a WireShark capture for a few hours on the users machine to capture the disconnects. I have a time window between 1550 and 1559, when the user had a clear disconnect, how do i filter the log to see the disconnects and the cause of the disconnects. currently i have filtered with the following: (frame.time >= "Nov 03, 2015 15:50:00")&&(frame.time <= "Nov 03, 2015 15:59:00")&&(tcp.flags.reset == 1) This has still given me over 102 records so am finding it very difficult to see what i am looking for. Can someone help me filter and read the log to give a more black and white cause (if possible) Thank you advance Diviesh asked 15 Nov '15, 21:27  diviesh |
One Answer:
I would recommend to: But the rule No.1 is - Wireshark (or any other capture tool) can answer you WHAT has happened, not WHY it has happened. So if your W7 client and W2008 server are not in the same IP subnet, it may make sense to capture at both of them to see the differences; if they exist, the intermediate equipment may have affected the connection. Otherwise, only heavy packet loss (which can also be spotted by capturing at both ends) or application behaviour (fault) or hardware failure (the latter two cannot be displayed using Wireshark) can be the root causes of the disconnection. answered 16 Nov '15, 03:01  sindy edited 16 Nov '15, 03:02 |
