Advanced Problem Determination

There are few things more frustrating then waiting for large wireshark captures to download or filters to execute.  tshark, a utility included with wireshark, can help you very quickly slice and dice large captures to share with friends & family after you've found something interesting. For example, if you know the ephemeral port involved, create a new packet capture: tshark -r big.cap -Y "tcp.port eq 35979"  -w filtered.cap Or if you know that things really got interesting after some specific time (as copied from the time value in an Ethernet frame) tshark -Y '(frame.time >= "Oct 15, 2012 16:00:00") &&  f rame.time <= "Oct 15, 2012 17:00:00")'  -r big.cap -w filtered.cap A similar tool named editcap can be used to split a large capture into multiple time-based intervals: editcap -i 60 big.cap split.cap Note: When dealing with captures in a non-native format, I've found you have to explicitly add -F to sp...

If you have a problem where TCP connections fail or are timing out, and you don't know the source port, you can use Wiresharks statistics menu to quickly identify the suspiciously "short" TCP streams. After loading up your capture, select "statistics" from the top level menu then "conversations".  Click the "TCP" tab and you'll be able to sort by number of packets or bytes in the TCP conversation.   Once you have your list of streams with a low # of bytes or packets, you can right-click the row and apply as a filter to your normal capture window.   Don't be too discriminating about the streams you look deeper into via the filtered window! Because of retransmits, the conversation view may show 3 or 4 packets, and hundreds of bytes, for a single retransmitted SYN! Speaking of retransmits, another trick for debugging connection problems is directly looking for connection attempts that lead to retransmits.  This i...