Wireshark packet capturing: error analysis

• It's been too long , Briefly remember a part , Get off work first

  Tools ：wireshark

• Commonly used wireshark Filtering rules ：

1、 Address filtering 
	ip.src  Source 
	ip.dst  Purpose 
	ip.host  After parsing the data 
	ip.addr  Some address 
	( Filter IPv6 Use ipv6.*)
	ip.addr > && ip.addr <  Display address range 
2、 Port filtering 
	 agreement .port== port , Filter out relevant protocol packets 
* DHCP Filter 
	DHCPv4 Use bootp Syntax filtering ,IPv6 Not based on bootp Of , Use DHCPv6
3、 Filter single TCP/UDP conversation ：
	Packet List Right click , choice Conversation Filter|TCP/UDP
4、 Tracking flow 
	 Right click for a moment ：Fallow Stream

One 、 Response problem ：

1、 Mass retransmission ：

It takes a long time for the other party to respond , Normally, there is no retransmission ： It may be because the network is unstable , Capture packets in the intermediate device and check the location of packet loss

Mass retransmission and dup ack, There should be packet loss in the link , Image traffic is convenient for troubleshooting
2、 Slow response ： Check each other

TCP Keep-Alive: Keep alive detection mechanism . Avoid when both sides of the connection are idle , Either party fails , The other party will maintain the link without knowing , The resulting resource consumption and the possibility of sending business data at an invalid data link level , Send the result of failure .

Load device forwarding problem ：
1、 Memory 、 disk 、CPU usage
2、 Check whether there is an alarm in the log
3、 Configuration problem
F5 in Take the initiative to drop：
1. Received packets VLAN ID And interface VLAN Mismatch
2. Unknown data type
3. Connect the device port flooding packet
Slow server response ：
1、 Client pass ping、curl This method eliminates the problem of whether it is the client or the server
2、 Check the server load 、 The disk is 、 Memory 、 journal 、 Whether the application is abnormal
3、 Number of database connections 、 Active threads 、 The query efficiency
4、 File server 、 Cache server load 、 The disk is 、 Memory 、 journal 、 Whether the application is abnormal

Two 、 Connection setup failed ：

（ Take packet capturing on load balancing devices as an example ）
1、 The server is not responding ：（Performance L4 type VS,6-9 Package No. client >F5> The server , No problem ）
F5 After the address is transferred, it is sent to the server , The server is not responding ,F5 send out RST disconnect

The client passes by F5 And then sent it to the back-end server syn My bag , The server did not respond
F5 After sending three retransmissions, there is still no return from the server , Take the initiative to send RST disconnect , There is no problem with device forwarding , Page error is 504 Prompt that the server did not respond , Whether there is a wall to intercept


2、 Intermediate equipment MAC The address is wrong ： View device mac Whether it is right , This situation is whether there is a problem with the subcontracting of intermediate equipment , It is suggested to check from the intermediate equipment mac.



3、 Routing points to problems ：

Returned the wrong VLAN（id by 16）, This... Is not available on the load device VLAN（F5 Send back VLAN id by 12）

3、 ... and 、DOS problem ：

It was sent by a single user from the same source port DNS package , The peak is per second 125krps, In this way, the traffic users go to the same cpu The device performance cannot be supported .

WireShark Refer to the previous article for message related information ：

https://blog.csdn.net/qq_43148894/article/details/120038136?spm=1001.2014.3001.5502