Comparing the two queries shows that a lot of TOP N UDP traffic to many. After that, you need to start comparing the single packets of the conversations to see what is different. When moving towards Wireshark capture as illustrated in Figure 13 mostly http. Mac and Linux systems already include the Pcap API, so Npcap allows popular software such as Nmap and Wireshark to. Use a conversation filter instead, meaning that you filter on IP and port of both client and server. Npcap allows for sending raw packets as well. If you can find the same SYN packets on both sides you just go and filter on the session, and not by TCP stream number, because it may be different.
In that case you need to find out why this happens, and what kind of devices are involved (maybe some normal Proxy, maybe WAN accelerators etc.). If you can't find a match you have some sort of proxying going on, which means that matching the sessions will be very difficult since the TCP connections are completely different. To do that I'd filter on the SYN packets only (tcp.flags=0x02) and compare the TCP initial sequence numbers. It looks like you're expecting the captures to show the same packets taken at the same time in two different locations, so first thing to do is to verify if that assumption is correct or if the packets aren't from the same connections.
0 kommentar(er)
