Archive for the ‘TCP Analysis’ category

  1. Trace File Case Files: SMB2 Performance

    We had an interesting question regarding SMB2 performance on the Wireshark Q&A forum recently. Upon request the person asking the question was able to add a couple of trace files (=”capture” files).  The question and a link to the traces can be found here: Since the question nicely fits into the scope my talk […]

  2. Megalodon challenge solution

    During Sharkfest 2015 I put up a challenge that was different from the usual challenges offered. The pcap files are a lot bigger, the task to solve less specific, and the answer not a simple “easy to verify” answer. I promised to put up my solution a few months after posting the challenge to this […]

  3. Port Numbers reused

    Sharkfest 2015 is coming up fast (22 days, 12 hours to go when typing this), and so I spend the morning hours of my Saturday for preparation of materials for my three talks. Since that also involves adding features and fixing bugs in TraceWrangler (which I also need for the large demo part of my […]

  4. TCP Analysis and the Five-Tuple

    The TCP expert of Wireshark is doing a pretty good job at pinpointing problems, helping analysts to find the packets where things go wrong. Unfortunately, there are some things that can throw the expert off pretty badly, which can fool inexperienced analysts in believing that there are big problems on the network. I did a […]

  5. Advanced display filtering

    Wireshark has a lot of display filters, and the filtering engine is really powerful. You can filter on almost anything in a packet, and ever since the filter box started suggesting possible filter expressions it got really easy to find the one you wanted.

  6. Determining network protocols

    If you spent enough time using Wireshark or any other network analysis tool, you’ll sooner or later be able to even read bare hex dumps of packets, at least partially (it’s a little bit like Neo seeing the Matrix). So maybe you run across a text dump of a packet like this one: 0000  00 […]

  7. Determining frame forwarding latency

    In some situations the question arises how much a frame was delayed by a device it has to pass through, e.g. firewalls, loadbalancers and sometimes even routers and switches. Usually, novice network analysts think that for that you need to synchronize the clocks of the capture PCs down to microseconds or even better, but that […]

  8. How millisecond delays may kill database performance

    Mike, an old buddy of mine is one of the best database application development consultants I have ever met. We worked together for the same company for a couple of years before I got into network analysis, but a couple of months ago I found out that there was going to be a conference in […]

  9. TCP Expert Updates in Wireshark 1.12

    Wireshark 1.12 has just arrived, and of course the first thing to do is to download and install the new version. The second thing to do should be to read the release notes.Nobody seems to do it, but everybody should. Okay, before I get to the TCP expert thing, let’s see why release notes are […]

  10. Determining TCP Initial Round Trip Time

    I was sitting in the back in Landis TCP Reassembly talk at Sharkfest 2014 (working on my slides for my next talk) when at the end one of the attendees approached me and asked me to explain determining TCP initial RTT to him again. I asked him for a piece of paper and a pen, […]