After merging two pcapng files, from two different firewalls, I am receiving Bad TCP errors. These are retransmissions; spurious retransmissions; ACKed unseen segment; Previous segment not captured; Port numbers reused; etc. Is there any way to resolve this? Using WS v3.0.2/Win 8.1.
Thanks and God bless, Genesius
The problem is very likely that the 5-tuples are the same and Wireshark isn't taking into account additional information such as the capture interface when tracking conversations. There is a Wireshark preference to "Enable stricter conversation tracking heuristics" that could be expanded to include the interface in tracking conversations, but every protocol that tracks conversations would have to be modified to make use of it. Obviously, some protocols such as TCP would be good candidates to start with. Alternatively, the "Enable stricter conversation tracking heuristics" preference could be split into separate preferences that allow for more fine-tuning of conversation tracking.
In any case, filing an enhancement bug report on the Wireshark Bug Tracker asking for the interface to be included in conversation tracking is probably the best path for a resolution to this problem.
... and after 4 years, it seems that a bug report has finally been filed as Issue 19463 - Packets on different interfaces are listed as part of the same conversation.
Asked: 2019-08-02 18:12:09 +0000
Seen: 339 times
Last updated: Aug 08 '19
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
If both firewalls saw the same TCP segment, the merged capture will have two copies of that segment, which will look, to Wireshark, as if the segment was retransmitted. Is that what's happening?
Thanks Guy, Checking out the TTL's the firewalls are separated by 4 routers. Not sure if that answers your question. Thanks and God bless, Genesius