In a recent troubleshooting session with an Avaya IP Office system we had to perform packet traces from both an Avaya IP Office server using tcpdump and from an Avaya IP Office gateway using a port mirror on an Avaya 3500 series switch. The topology was a pretty simple flat network with only 2 switches and 2 VLANs (data and voice). The vendor had asked for some packet traces from both the Avaya IP Office gateway and from the Avaya IP Office server. We were able to obtain the data the next step was to analyze the data… how to make sense of all the noise in the packet trace and discern exactly what was going on. And what (if any) conclusions could be drawn from the collected data.
I thought I would share my default Wireshark setup I use when examining packet traces. In addition to the defaults I like having the Time (since capture start), the DateTime, (absolute time is useful when correlating against other packet traces and log files), DeltaX (time between displayed packets), Seq, Ack, and Bytes in flight.
I have a color rule which highlights the frames in yellow if the frame.time_delta_diplayed is greater than 3 seconds (frame.time_delta_displayed > 3). It helps me to quickly focus on long pauses in communication between two or more devices. While working on this problem I also happened to stumble upon a bug in Wireshark 2.0 that affects the delta time displayed. I discovered bug 11786 was already documented in the Wireshark bug database.
Stumbled onto a known Wireshark 2.0 bug with delta displayed time not showing up properly. https://t.co/RrchR8WBGV
— Michael McNamara (@mfMcNamara) December 23, 2015
If you’re not familiar with how to read packet traces I would suggest you check out Kary Rogers Packet Bomb website. Karry has a number of useful videos covering how to read and interpret a packet trace, along with a few tips on leveraging tools like Wireshark. In the screenshot above I used Jasper Bongertz’s tool TraceWrangler to sanitize the IP addresses from the packet trace before post a screenshot.
Cheers!
Update: The delta time issue has been fixed in Wireshark 2.0.1