This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Compare functionality in Wireshark

0

Hi

I am attempting to use the Wireshark compare function to compare captures taken on client & server. I could do with come clarification on a few things please:

Is it advisable for the 2 computers to have their times synchronised prior to taking the 2 captures, or does this make no difference?

In the result dialog box, can you explain what the following mean:

Scopes: (is this the range of information matched up in each end's capture?)

Equal packets: (is this the number of packets that match up in the 2 merged captures?)

I see an average time difference of 1231.xxxxxx, but the RTT between the 2 computers is only 10ms. Is this due to the times not being synchronised on the 2 computers?

I am trying to compare a merged capture file of approx 171MB. When I start the comparison, usually the computer stops responding. Sometimes it recovers after around 10 mins, but other times it does not & Wireshark has to be closed. any ideas?

Sorry about so many questions, but thought I'd try to get answers to all in one go..

Many Thanks Ian

asked 01 Jul '11, 08:46

ipittam's gravatar image

ipittam
31346
accept rate: 0%

edited 01 Jul '11, 08:46


One Answer:

0

In my experience it is wise to have the servers/computers time synchronized by using NTP, network time protocol. I don't know what type server you're using, but for Windows Server 2008 you can enable this: http://computeradvisors.net/windows-server-2008/configure-ntp-(network-time-protocol)-on-windows-server-2008/

Kerberos' Ticket Granting Tickets system works more efficiently in authorization of users if systems time are synchronized, as tickets could effectively expire before they should based on incorrect times. However, there is an offset time which you can use to specify the offset in the Compare function of Wireshark if the time is not exactly the same.

A 171MB capture file is rather large for analyzing. I've found that keeping my cap files smaller than 50m makes it easier and less time consuming to analyze. I imagine your computer is stopping running because of the size of the files it is processing.

Hope this is somewhat helpful, John

answered 01 Jul '11, 09:29

John_Modlin's gravatar image

John_Modlin
1205
accept rate: 0%