locked
How to filter the packets that have no responses RRS feed

  • Question

  • Hi,

    I captured many TCP/UDP/ICMP/ARP/etc packets sent from/to a specified MAC address. I want to filter the packets that didn't have corresponding TCP/UDP/ICMP/ARP/etc responses. How shall I do? I'm troubleshooting a slowness of Windows logon.

    Thanks,
    高麻雀

    • Edited by 高麻雀 Wednesday, February 20, 2013 12:19 PM
    Wednesday, February 20, 2013 12:17 PM

Answers

  • The method is different depending on the protocol.  And in some cases, you might not expect to get a response.

    TCP will resend traffic if there is not response, but is not a one for one request/response.  You can look for difficulties with TCP traffic by applying a filter of "Property.TCPRetransmit == 1".  By the way, this is availalbe in the filter library.  If you have lots of retransmits, then this could be slowing down your windows logon.

    ICMP is sometimes a one for one response.  But there are single commands that don't have a response, like a messaged dropped by the router.  But to find corresponding response is a somewhat manual procedure.

    ARP is also a manual procedure because there is no ID for associating requests and responses.  Usually ARP is not an issue with slow logon, though I suppose it's possible.  But this would be evident in a trace because the traffic conversation with the logon server would be preceed by lots of ARP traffic for it's address.  Or the logon server would be affected by it's attempt to contact the authenticating server, if it's different.

    Finally UDP is depending on the protocol that rides on top of it.  By itself, you cannot expect a response to any UDP packet.  By definition it's connectionless.  In terms of Widnows logon, you would be looking for DHCP or DNS type traffic, which woudl be obvious because request for the server name or authentication server would not get a response and be asked for again and again.

    Another tool that might help is Message Analyzer, which we just released our beta 2 on connect.microsoft.com.  (see this annoucement: http://blogs.technet.com/b/messageanalyzer/archive/2013/02/15/microsoft-message-analyzer-beta-2-is-released-build-5950.aspx)

    It has some tools, like a time elapsed column, which lets you see the response times for each part of a logon request.  It also pairs up requests automatically so you can see if a response for the logon request is missing, perhaps with some DNS/ARP traffic inbetween.  Also we mark TCP retrasmits automatically so you can see if  lot of them show up.

    Unfortunately the problem you are trying to troubleshoot is complex and requires more than just looking for missing responses, but hopefuly with some research you can make some progress.

    Thanks,

    Paul

    • Marked as answer by 高麻雀 Wednesday, February 27, 2013 8:38 AM
    Monday, February 25, 2013 4:59 PM

All replies

  • The method is different depending on the protocol.  And in some cases, you might not expect to get a response.

    TCP will resend traffic if there is not response, but is not a one for one request/response.  You can look for difficulties with TCP traffic by applying a filter of "Property.TCPRetransmit == 1".  By the way, this is availalbe in the filter library.  If you have lots of retransmits, then this could be slowing down your windows logon.

    ICMP is sometimes a one for one response.  But there are single commands that don't have a response, like a messaged dropped by the router.  But to find corresponding response is a somewhat manual procedure.

    ARP is also a manual procedure because there is no ID for associating requests and responses.  Usually ARP is not an issue with slow logon, though I suppose it's possible.  But this would be evident in a trace because the traffic conversation with the logon server would be preceed by lots of ARP traffic for it's address.  Or the logon server would be affected by it's attempt to contact the authenticating server, if it's different.

    Finally UDP is depending on the protocol that rides on top of it.  By itself, you cannot expect a response to any UDP packet.  By definition it's connectionless.  In terms of Widnows logon, you would be looking for DHCP or DNS type traffic, which woudl be obvious because request for the server name or authentication server would not get a response and be asked for again and again.

    Another tool that might help is Message Analyzer, which we just released our beta 2 on connect.microsoft.com.  (see this annoucement: http://blogs.technet.com/b/messageanalyzer/archive/2013/02/15/microsoft-message-analyzer-beta-2-is-released-build-5950.aspx)

    It has some tools, like a time elapsed column, which lets you see the response times for each part of a logon request.  It also pairs up requests automatically so you can see if a response for the logon request is missing, perhaps with some DNS/ARP traffic inbetween.  Also we mark TCP retrasmits automatically so you can see if  lot of them show up.

    Unfortunately the problem you are trying to troubleshoot is complex and requires more than just looking for missing responses, but hopefuly with some research you can make some progress.

    Thanks,

    Paul

    • Marked as answer by 高麻雀 Wednesday, February 27, 2013 8:38 AM
    Monday, February 25, 2013 4:59 PM
  • Thanks very much Paul. I really appreciate your detailed explanation. I will try the Message Analyzer you recommended.

    Thanks again!
    高麻雀

    Wednesday, February 27, 2013 8:43 AM
  • Hi Paul,

    I'm sorry that I didn't find Mesage Analyzer download from the link you sent me. I also didn't find the same from Microsoft Download Center. Any changes?

    Thanks,
    高麻雀

    Wednesday, February 27, 2013 9:10 AM
  • Wednesday, February 27, 2013 9:11 AM