I get many emails asking for assistance when you have multiple trace files. Lets start with a quick review of the benefits of having multiple trace files:
Determine the source of lost packets
Determine network latency
Determine the source of out of sequence packets
The hardest part of this process is the setup or preparing your trace files. I try to keep the capture points as consistent as possible. For example, if you have Wireshark installed on your server, I would prefer that you have Wireshark installed on the client computer. If you span the server port, I would prefer we span the client port, that sort of thing.
If you use Wireshark, use Wireshark for all your captures, don’t have a Wireshark capture from the client, but a capture from your router using its capture software. I’m sure you see where I’m going with this.
Next step is determine why you need multiple trace files, in this example I will start with something straightforward like looking for dropped/lost packets. First thing I do is open both trace files that are filtered between the 2 device ip addresses. Then I save the filtered trace files with a meaningful name. Now we can zero in on a conversation between the devices. I typically go to layer 4, in this case it’s the TCP layer. I use the Statistics > Conversations -> TCP tab and sort by Bytes or Packets. In this video I choose to sort by Bytes and apply a one way filter from the data sender to the receiver.
Once I have the filter created on one side, I simply copy and paste the filter to the other trace file. This works because this trace file has the same Layer 3, and higher information. The process will be slightly different if address translation devices were involved in the communication path. I will create another video to cover this technique in the future.
Now I add the TCP sequence number as a column and now I can easily see if a packet was retransmitted or lost. For the advanced user, you can see how you can export this new trace file to excel, database or script to compare the sequence numbers and automate the process.
This will be the first of more videos to cover various aspects and techniques pf multiple trace file analysis.