Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
1
Replies

Analyzing protocol capture

Go to solution
Colin Higgins
Level 2
Level 2

‎12-04-2012 06:58 PM

I am troubleshooting an application response problem through a FWSM using WireShark, but I'm having trouble analyzing some of the data.

I did a traffic capture between a client and the server behind the FWSM

Using Wireshark, I open the capture and try to filter the streams using tcp.stream eq 1-6

I then start going through the packets to see what is going on. However, it seems that I cannot find the complete conversation. I can get the first four frames (SYN, SYN-ACK, ACK, and a TCP segment), but after that, it seems there are other conversations within the stream, and I cannot locate the next packt by using sequence number, etc. (unless I want to go through thousands of packets manually).

Is there a simplier way to do this? Looking at the TCP Stream option within Wireshark is no help: it does not use timestamps, and simply starts at the first packet captured--I need to look at specific conversations).

Any advice would be great

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-04-2012 08:03 PM

Filter the wireshark display to show only traffic to/from the client IP. e.g.:

ip.addr==

in the Wireshark display filter.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-04-2012 08:03 PM

Filter the wireshark display to show only traffic to/from the client IP. e.g.:

ip.addr==

in the Wireshark display filter.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents