This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Filtering, new and confused, map drives disconnect

0

Hi all i am very new to WireShark (first time i have run and produced a packet capture)so any help would be much appreciated.

I have a client on windows 7 pc, who is getting disconnected from the shared drive windows server 2008.

I ran a WireShark capture for a few hours on the users machine to capture the disconnects.

I have a time window between 1550 and 1559, when the user had a clear disconnect, how do i filter the log to see the disconnects and the cause of the disconnects.

currently i have filtered with the following:

(frame.time >= "Nov 03, 2015 15:50:00")&&(frame.time <= "Nov 03, 2015 15:59:00")&&(tcp.flags.reset == 1)

This has still given me over 102 records so am finding it very difficult to see what i am looking for.

Can someone help me filter and read the log to give a more black and white cause (if possible)

Thank you advance Diviesh

asked 15 Nov '15, 21:27

diviesh's gravatar image

diviesh
6112
accept rate: 0%


One Answer:

0

I would recommend to:
1. click, in the packet list pane, at the second of those packets shown while using your filter
2. clear the filter (the packet you've clicked at remains focused at)
3. click at "Analyze -> Follow TCP stream", a window with the conversation contents will open, but also a new display filter will be prepared and applied, so you'll (hopefully, if the capture was long enough) see the whole tcp session which has ended by RST. In the packet list pane, the highest level protocol found in each packet is displayed, so don't worry that some of them are marked as "tcp" and some as "smb" or something else
4. now try to find out whether there was some reason for the RST at the protocol level.

But the rule No.1 is - Wireshark (or any other capture tool) can answer you WHAT has happened, not WHY it has happened. So if your W7 client and W2008 server are not in the same IP subnet, it may make sense to capture at both of them to see the differences; if they exist, the intermediate equipment may have affected the connection. Otherwise, only heavy packet loss (which can also be spotted by capturing at both ends) or application behaviour (fault) or hardware failure (the latter two cannot be displayed using Wireshark) can be the root causes of the disconnection.

answered 16 Nov '15, 03:01

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 16 Nov '15, 03:02