 | 1 | initial version |
With your current capture setup you are capturing data from multiple vlans concurrently. Some of the tcp sessions are captured twice because the two peer hosts are on different vlans. Capturing the same packet on both vlans will confuse the TCP analysis.
In the capture file Forestry_MX_LAN.pcap, the display filter tcp.stream==0 shows packets from ip.addr==10.12.10.12 && ip.addr==10.3.20.120. The session appears to have lots of retransmissions. But if you look more closely you will see that the packets are actually captured twice, once on vlan.id==500 and the other on vlan.id==111.
If you apply a display filter for vlan.id==111 and then use the main menu option Edit -> Ignore All Displayed then all the displayed packets will disappear. Now update the display filter to just tcp.stream==0and you will see just the vlan.id==500 copies of the tcp.stream==0 without all of the duplicates. You can restore the ignored packets by reloading the capture file.
Regarding your capture file Forestry_MX_LAN_1182023.pcap it shows evidence of massive packet loss likely due to the capture setup. In both capture files you have captured Spanning Tree Protocol (STP) packets. These are normally sent at 2 second intervals. In the Forestry_MX_LAN.pcap with a display filter of stp we can see STP packets at regular 2 second intervals, but in the Forestry_MX_LAN_1182023.pcap file we see irregular gaps between between the STP packets. With any sort of packet capture one has to consider the possibility that the capture file itself could be missing packets that were in fact sent but simply were not captured because of the capture setup itself.
