Wireshark Packet Analysis With 2 Traces
One of the most common questions I get asked when teaching or troubleshooting is how to perform multi-trace analysis.
Unfortunately, there is never a simple answer since it all depends on the equipment and configuration. I explain that even if you have the same equipment, the configuration will dictate how the equipment behaves. In some cases, upgrading the software can change the way in which the device behaves.
The only way to do this, is to capture some packets and go through the process. There are pretty typical scenarios in which you can assume the device's behavior.
- A layer 2 switch will not alter the clients’ packet if the 2 test devices are on the same VLAN. Even if the switch tags the packet, that isn’t the payload within the clients’ packet. I’m sure there will be some sort of exception but none come to mind at the moment.
- A router will minimally change the MAC address, IP time to live, and possibly the TOS.
In this video, I look at 2 traces from a wireless/firewall appliance. One trace is from the client and the other is from the outside of the firewall. I used a Network Critical SmartNA XL tap and a laptop with 2 ethernet adapters.
As you see in the video, I go through my typical thought process and workflow to determine what changes and what remains the same. Once you get the hang of it, then you can quickly use display filters to trace conversations to determine packet loss, high latency, or any other anomalies.
Sr Network Performance Specialist
The Technology Firm
Getting things to work better - bit by bit-
Linkedin Profile https://ca.linkedin.com/in/fortunat
Youtube Channel: https://www.youtube.com/@thetechfirm