Hello, I'm troubleshooting an issue where I need to figure out if the some SYN/ACK that I'm seeing are in response to an specific SYN.
I took to independent captures, in two different locations and simultaneously, I can see the SYN from my laptop, but I don't see any SYN/ACK anywhere in the same capture, when I check the other capture I notice that there are many SYN/ACK but I don't know how to match one of those SYN/ACK to the SYN that the computer sent.
Can you please help me?
asked 06 Mar '13, 09:52
You need to disable the relative Sequence numbers for the TCP protocol first. You can do that in the preferences -> Protocols sections, or by right clicking the TCP layer in any packet that has TCP inside. Matching packets on multiple locations usually works by finding the same two IPs talking on the same two ports with each other (a "Socket Pair"). Then, try to find the same TCP Sequence numbers of a packet in one trace in the other trace. Sequence numbers are usually unique inside one TCP conversation unless there is so much data transfered that it forces the sequence number to wrap around.
If you can find the same packet containing the same socket pair and the same TCP sequence number, you've got it. If you can't find it anywhere, it's probaby not in the trace file. It might still have been on "the wire" but wasn't captured for performance or other reasons. You can usually tell if that is the case if you see the two nodes talking happily (meaning: without retransmissions and duplicate acks) with each other even though there seem to be missing packets.