hello:
i have a question regarding transum capture position. there are three options "client, intermediate, service". client is pretty self explanatory, if you capture from client. but what about intermediate and service. i have client, load Balanncer and server in my environment. so if i get capture from load balancer would it consider as intermediate and server as service? i couldn't find any specific documentation
thanks
Just a quick note to complete this story. I have recreated the TRANSUM User Guide on the Wireshark Wiki - see https://gitlab.com/wireshark/wireshar...
Hi,
Sorry that the TRANSUM documentation is not accessible at the moment. I'll try to get it uploaded somewhere else and make the link available.
The client, intermediate and server settings change the way that TRANSUM accounts for the time taken for retransmissions. There are several scenarios, but I'll give you two to explain.
With the Client setting and a capture on or close to the client, if we transmit an HTTP request and then need to retransmit it, TRANSUM assigns the retransmission additional time to Request Spread. This is reasonable if we assume that the retransmission was needed because the first instance of the request did not make it to the server. Importantly, we don't assign the retransmission time to Service Time.
Now consider the same scenario but where we are capturing on or adjacent to the server. If we see both the original request packet and the retransmitted request, with the Client setting we would include the retransmission time as request spread. However, it would be more reasonable to assume that the service saw the first request and either there was a prolonged delay in the ACK or the ACK got lost, resulting in the retransmission. Whatever the reason, the Service Time should be judged to start from the receipt of the first instance of the request packet, and so Service Time is increased, rather than the Request Spread. This is the way TRANSUM behaves if you use the Service setting.
The inverse of the above is used for responses from the service:
If you choose the intermediate setting, all retransmission time is allocated to Request or Response spread depending on the direction of data flow.
There are many reasons why this treatment is not perfect, but it's a reasonable compromise.
Best regards...Paul
thank you paul for the explanation and looking forward to see the link for guide/documentation. Also to confirm the answer from my original question and based on your explanation is it safe to assume if i do a capture on server then use service as a capture point and for load balancer use intermediate?
thanks again
@PaulOfford is definitely the authority here, but as far as I can tell, the client is the side that initiates the connection, the service is the side offering the service to which the client connects, and intermediate is somewhere in between the two. So, it's my understanding that your assumption is correct, that a capture from the load balancer would be considered as intermediate.
You might want to also have a look at Paul's Transum presentation from the 2015 Sharkfest Conference. There is also a Wireshark Transum wiki page, but unfortunately there's not much more information there, and the link to the Transum User Guide is now broken because tribelab no longer exists, presumably shut down as part of Advance7 being taken over by Northern Trust.
Please note that in case of a loadbalancer, the TCP session is usually terminated on the clientside of the loadbalancer and then a new TCP session is being set up on the server side of the loadbalancer. This means that when you capture on the loadbalancer, you need to set TRANSUM to service for the client-side connection and to client on for the server side connection.
If the loadbalancer does not terminate the TCP session, then intermediate would be an appropriate setting.
Asked: 2020-01-02 18:23:14 +0000
Seen: 728 times
Last updated: Jan 14 '21
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
