Wireshark: How to make sure, you are in the right packet!!

Wireshark: How to make sure, you are in the right packet!!


Some weeks ago, we had a strange issue: We have an hl7 messaging service, and one of the clients that send us some messages, was telling there´s some delay with our queues. We had to put a sniffer in the client, client firewall, server and 4 firewalls that are in our environment.

The client tells us, that some packets are getting stuck for 3 seconds, and we saw that this packet, was retransmitting. Here we could see the first SYN and the tcp retransmission 3 seconds later.

Sometimes, you don´t have the time synchronized in all the systems, so you will need to make sure which packet you are displaying. Here I will show you the Packet bytes pane of the first SYN and below, the packet bytes from the TCP retransmission:

First SYN – Packet bytes pane. The identification value is 0x4253

TCP Retransmission – Packet bytes pane. The identification´s value: 0x4521

Now I will show you the server side *.pcap, where we only see one of the packets. The first SYN wasn´t reaching the server.

Now we could see on the server side, the IP identification of the packet, that corresponds, with the TCP Retransmission. Value: 0x4521

The problem was in the client´s firewall, but the propose of this message, was trying to identify a TCP retransmission packet, because identifying the packet with the time isn´t a good idea.

Maybe this is too obvious for most of you, but I think it could help for some people.


Leave a Reply