Interesting Traces - Host Based Analyzer Lies

The traces are different; showing one of the dangers of using a host based analyzer to capture packets on the local host instead of an analyzer that is listening to what is actually sent the wire. The host based analyzer doesn't always see what is really being sent.

The key TCP segment is in frame #21. In the local trace it has sequence number 1129 and a length of 4600 bytes while in the mirror port trace it has a length of 1380 bytes. Frames 22, 23, and 24 in the mirror port trace have TCP segments with lengths 1380, 1380, and 460 (equaling 4600). You can tell that TCP is breaking the segment up and not IP because the frames have a valid TCP header. If IP had broken the frames up they would have been IP continuation frames, which do not have a TCP header.

The two traces are back in sync with frame 25 in the local trace and 28 in the mirror port trace, both of which have sequence numbers of 5729.

In this case, other than some extra overhead it doesn't really matter. But it is important to keep in mind that there can be significant differences between the sent packets in a trace captured on the sending system and a trace captured with a mirror port, network tap or on the receiving system.

No.     Source            Destination       Protocol Info
     20 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3332 Ack=1129 Win=64407 Len=90
     21 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=1129 Ack=3422 Win=65279 Len=4600
     22 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [ACK] Seq=3422 Ack=3889 Win=65535 Len=0
     23 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [ACK] Seq=3422 Ack=5729 Win=65535 Len=0
     24 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3422 Ack=5729 Win=65535 Len=126
     25 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=5729 Ack=3548 Win=65153 Len=39
     26 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3548 Ack=5768 Win=65496 Len=126
     27 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=5768 Ack=3674 Win=65027 Len=39
     28 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3674 Ack=5807 Win=65457 Len=126
     29 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=5807 Ack=3800 Win=64901 Len=39
     30 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3800 Ack=5846 Win=65418 Len=132

No.     Source            Destination       Protocol Info
     20 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3332 Ack=1129 Win=64407 Len=90
     21 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [ACK] Seq=1129 Ack=3422 Win=65279 Len=1380
     22 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [ACK] Seq=2509 Ack=3422 Win=65279 Len=1380
     23 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [ACK] Seq=3889 Ack=3422 Win=65279 Len=1380
     24 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=5269 Ack=3422 Win=65279 Len=460
     25 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [ACK] Seq=3422 Ack=3889 Win=65535 Len=0
     26 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [ACK] Seq=3422 Ack=5729 Win=65535 Len=0
     27 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3422 Ack=5729 Win=65535 Len=126
     28 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=5729 Ack=3548 Win=65153 Len=39
     29 172.16.1.10       192.168.10.8      TCP      4603 > microsoft-ds [PSH, ACK] Seq=3548 Ack=5768 Win=65496 Len=126
     30 192.168.10.8      172.16.1.10       TCP      microsoft-ds > 4603 [PSH, ACK] Seq=5768 Ack=3674 Win=65027 Len=39

This page was last modified on 07-10-11

Send comments and suggestions
to ndav1@cox.net