Wireshark’s new tool – Transum (by Tony Fortunato)
How TCP Works - Acknowledgment Numbers (by Chris Greer)

The Dark Side of Packet Slicing (by Mike Canney)

SiegerninjaPF

 

Packet or frame slicing our captures can be a great way to hide information in trace files if done correctly.  However, you have to really understand the reason for the captures in the first place.  For example, often times application performance issues leave many clues at layer 4 (specifically TCP).  What happens when you 'hard" slice a trace file and now cannot follow the TCP sequence numbers because the incorrect frame size value is written in the pcap file?

Other times you may need to see the specific application call (SQL/Oracle) to actually fix the problem but you no longer have that data because you've sliced it away.  

What if you are capturing packets for Security Forensics?  Being able to report to authorities exactly "What" data was breached/stolen is often critical.  That's very hard to do if you have sliced your captures.

In this short video we will examine the dark side of packet slicing as well as look at one way you can recover your "lost", incorrect sequencing when your capture device or packet broker is limited to only hard slicing.  We will also show you how to use TraceWrangler to resolve these issues on a pcapng file.

 

 

 

 

Mikepicture   PacketfetcherlogoX1

Mike Canney specializes in providing application and network performance consulting services.

Overthe past 26 years Mike has helped 1,000’s of companies identify and resolve their application and network performance issues. Mike has also developed coursework and taught engineers how to identify, re-mediate, and prevent network and application issues by analyzing traffic flows at the packet level.

Mike has been a guest speaker at many industry trade shows (such as Interop, Wireshark "Sharkfest" and Cisco Live) throughout the United States on the topic of application performance analysis.

Mike can be reached at mike@microsecondsmatter.com

 

 

Comments