Ask Your Question

Revision history [back]

tshark - How can I specify a tab as the -E aggregator character? /s becomes a space, but /t becomes a forward slash, a keyboard tab generates a syntax error.

I have two capture files of the same traffic between a pair of Windows servers. One capture file is from Wireshark running on one of the Windows virtual hosts. The other capture file is from a SPAN port on a switch close to the other Windows system. The capture covers a roughly 24 hour period. The purpose of the captures was to isolate where our connection failures were happening.

I extracted the SYN packets from both capture files and compared their packet timestamps, matching on source and destination ports and the packet sequence number (actual, not relative). The delta time for the same packet starts out at 80 milliseconds. After an hour or so the delta becomes 7.6 seconds and stays that way for 23 hours. Then within the next hour the delta time for the same packet jumps to 2 minutes, then 10 minutes, then 30 minutes.

We suspect the Wireshark time stamps are incorrect, because it is the only movable object in this scenario - it moves when the virtual server moves. But even so, I can't explain away a 30 minute difference for the same packet. And I was told all servers in the data center are time sync'd to the same NTP server.