Hi folks, I recently had to perform some surgery on a packet capture that had dropped packets.
I was capturing a GbE link that was operating at capacity and a few packets were dropped in the area I was interested in. I was chasing the reason that the current Mac OS X smbfs would disconnect from the server on some occasions. I was interested in the SMB headers and had no interest in the data carried in SMB writes or reads, and fortunately, none of the dropped packets in the area I was interested in covered SMB headers. Using wireedit, mergecap and Wireshark's ability to export packets from a point in the capture I was able to put together a new capture that showed me all the SMB info, by: 1. Exporting a singe frame where the NetBIOS/SMB header was in the middle of a TCP segment, 2. Remove the portion from before the NetBIOS header and adjust the sequence number (that is, essentially split the segment into two), 3. Merge the adjusted packet with the packets from after its position in the capture, 4. Make up the missing few packets/segments by saving the packet from before the missing segment, duplicating the data and adjusting the sequence numbers. This worked quite well and I was able to determine that the Mac OS X smbfs was sometimes not sending an SMB request and thus causing crediting issues. That lead me to think of the following changes that would be useful: 1. It would be useful to have a right-mouse-button menu item that allows you to split a frame into two TCP segments at the point where the mouse is pointing. This would possibly allow Wireshark to correctly dissect the data starting at that point, especially if you save the capture from the new frame forward. 2. It would also be useful if you could tell Wireshark: Please insert a TCP segment with random data to cover the missing segments that it so conveniently warns you about. Perhaps these could be handled by adding some sort of pcap-ng annotation to the frames specifying additional actions. Anyway, can anyone think of other ways to achieve what I want and other ideas like these? -- Regards, Richard Sharpe (何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe