384 posts categorized "Protocol Analysis" Feed

TCP Checksum Error Case Study (by Paul Offord)

When I see TCP Retransmissions and Dup ACKs in a trace I naturally think about packet loss, but that's not the only cause.  The TCP Checksum mechanism is used to check the integrity of the TCP payload (or segment) and, although it's rare to see genuine checksum errors in a trace, it's another cause of retransmissions.

  Network topology

For Wireshark users there's good and bad news.  The good news is that Wireshark can check each packet for TCP Checksum errors.  The bad news is that they are not always genuine errors.  So how can we tell the difference?

In this video ...

Continue reading "TCP Checksum Error Case Study (by Paul Offord)" »


Using NetworkMiner with a Windows netsh trace File (by Paul Offord)

Before analyzing a network packet trace file, I try to make sure that I've collected information about IP addresses and TCP/UDP port numbers.  Even so, I still find that I don't have all the information I need.  There are techniques you can use to get the missing information - check NBNS host announcements, explore the names resolved by DNS - but it's all just more hassle.

  Networkminer_host_details

Recently I noticed a bit of a buzz around NetworkMiner, so I thought I'd check it out.  What I found was a simple tool that does just what I need; extract useful host and service information from Wireshark traces.  We now analyze a fair number of traces captured with Windows netsh trace, so I thought I'd look at how we can use NetworkMiner with these Windows-native trace files.

In this video ...

Continue reading "Using NetworkMiner with a Windows netsh trace File (by Paul Offord)" »


Reordering Network Packets with Wireshark and Workbench (by Paul Offord)

Occasionally I need to analyse Wireshark traces where the packets are not ordered by timestamp.  The following screenshot shows out of order packets that were found in a trace file that was generated by Wireshark dumpcap capturing via two network interfaces; a typical configuration when using a network TAP.

Neg_delta

In the screenshot, notice how the timestamp of the fourth packet is earlier than that of the second packet, causing the negative delta value.

Clicking on the Time column label will certainly reorder the packets into time sequence but, unfortunately, the Delta value will still be incorrect and  the issue can cause problems with tools such as Wireshark TRANSUM.  Above all, it just adds to the complexity of the trace analysis and so what we really need is a way to reorder the packets.

Fortunately, there is a handy Wireshark tool called Reordercap that can re-sequence the packets in timestamp order.

In this short video ...

Continue reading "Reordering Network Packets with Wireshark and Workbench (by Paul Offord)" »


How TCP Works - Acknowledgment Numbers (by Chris Greer)

Let's learn more about TCP. 

So far, we've looked at the handshake process and how sequence numbers work. Now, let's check out how the acknowledgment process works with TCP. 

After all, this is a critical component of making TCP a connection-oriented, reliable transport protocol. Understanding how these numbers work goes a long way in troubleshooting issues in networks and applications. The better we understand these processes, the faster we can spot issues when things are broken. 

Got four minutes? Check it out! 

 

Thanks for checking it out and hopefully it helps all packet-heads out there! 

Continue reading "How TCP Works - Acknowledgment Numbers (by Chris Greer)" »


How TCP Works - Sequence Numbers (by Chris Greer)

TCP is important stuff for network engineers to know. 

Why? 

Today's problems aren't so cut-and-dry as they used to be. When a problem strikes, we can't just say "it's not the network" and go along with our day. A core understanding of TCP and how it carries and acknowledges data goes a long way in finding the root cause of performance problems today. 

One key aspect of TCP that is important to learn is the Sequence and Acknowledgement process. To put it simply, these numbers in the TCP headers indicate how much data has been sent and received. They allow each endpoint to determine if there was packet loss, what needs to be retransmitted, and help to determine how much data is in flight. 

For a six-minute crash-course on how TCP Sequence numbers work, check out this video:

 

Thanks for checking it out and hopefully it helps all packet-heads out there! 

Author Profile - Chris Greer is a Network Analyst for Packet Pioneer LLC and a Certified Wireshark Network Analyst. Chris regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for several analysis vendors. Got network problems? Let's get in touch

Chris Greer Packet Pioneer Logo


How TCP Works - The Handshake (by Chris Greer)

This video uses Wireshark to show how the handshake process works in TCP. It is part of a new TCP Fundamentals series on the Packet Pioneer YouTube channel. I hope it helps the budding packet-heads out there! 

 Enjoy!

 

 

Author Profile - Chris Greer is a Network Analyst for Packet Pioneer LLC and a Certified Wireshark Network Analyst. Chris regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. Chris also delivers training and develops technical content for several analysis vendors. Got network problems? Let's get in touch

Chris Greer Packet Pioneer Logo