IBM Support

AIX: Analysing network packet trace

How To


Summary

List of what to look for in a network packet trace

Objective

Analyse network packet capture

Steps

Using a software tool to view network capture file

Option 1 - Ipreport


AIX command is used to convert iptrace binary files to text.
Syntax:
ipreport -srvnC -X 0 file.out > file.txt
-s Prepends the protocol specification to every line in a packet.
-r Decodes remote procedure call (RPC) packets.
-v Verbose.
-n Includes a packet number to facilitate easy comparison of different output formats.
-C Validates checksum.
-X 0 Removes data portion of the network packet.
file.out (binary iptrace file)
file.txt (Text output file of the ipreport)

Option 2 - Wireshark


Graphical freeware tool that can analyze network packet captures
Downloadable from www.wireshark.org

Top part of screen shows each individual packet
Bottom screen shows you packet header break down
Any errors with the packet can be identified in the header
Note that each header starts with the name or type of header
Filters  Can be applied to focus on certain network packets
Useful filters:
ip.addr==<ipaddress>    filters for a specfic ipaddress
tcp.port==<port_number>  filters for a specfic port number
udp.port==<port_number> filters for a specfic udp port number
tcp.analysis.retransmission filters for retransmitted tcp packets
tcp.flags.reset==1  filters for network disconnect “reset” packets
tcp.flags.syn==1  filters for tcpip “synchronize” packet
tcp.flags.fin==1  filters for tcpip “fin” or goodbye handshake packet
ip.id==<number> filter for specific packet,
Tip: ip.id should not change as packet transverses from machine to machine, use this to match up a packet in two different captures that were taken at the same time.
In traces with a lot of data or the time set is different on the two systems it's better to match ip.id in combination with sequence number.
Tip: The Time column can be set to "Seconds since from previously captured packet" - meaning Delta time between packets
In wireshark  <button> Analyze
Follow stream <button>
Allows you to see only that one connection in the whole trace
Once narrowing down to a specific packet you can follow stream on that packet to see the whole connection it is involved with.
Clues to look for:
  • Traffic only from one side
  • High number of Retansmission, Dup Acks, Reset packets
RST, Retrans
  • Delta time - indicates slowness or timeout 
delta time
  • Round Trip Time - this measures the round trip time between sending a packet and getting a reply on it
  • Retransmission Timeout (RTO) that has an initial value of three seconds. After each retransmission the value of the RTO is doubled and gets upto three retries.

Additional Information

References
Iptrace daemon and the ipreport and ipfilter commands
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.performance/iptrace_ipreport_ipfilter.htm
Using packet trace tools iptrace, snoop, tcpdump, wireshark, and nettl
https://www-01.ibm.com/support/docview.wss?uid=swg21175744

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"Netcom -TCPK","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
30 May 2019

UID

ibm10884392

Page Feedback