TraceMarker (click to download)

TraceMarker is a small tool I wrote to be able to "mark" packet traces. If you ever did some packet analysis (especially when they where running over a longer period of time) you know that sometimes it's a nightmare to find the right packets to look at - there are just to many of them ;)

The focus while doing the UI was to keep it as simple as possible so that also non-IT people can use it.

This tool gives the possibility to send UDP or ICMP packets by simply clicking on a button like "Problem now". The tool will send out the packet with a (configurable) length, ttl, port (udp) which can easily be spotted in the trace file. They can also add some comments to the packet which will then be included in the payload. As these markings are (on purpose) unencrypted you can easily search for these packets.

The payload itself contains the hostname, the local client time, utc time, the kind of marking and the comment (if any).

A VERY important point for me was the "ease of use" within the tool. When you have "users" you cannot expect them to enter some nice and fancy commands in the CLI when the problem occurs. Tracemarker offers a few buttons the user can hit in the right moment:

That's all the user has to deal with. 

As the tool only uses connectionless protocols, no server install is needed. The packets are simply "fire and forget". Of course you may want to make sure you don't fire UDP packets to a listening port - you never know how the server may behaves...

To find these special packets using wireshark, set the display filter to frame contains "Tracemarker"

Right-click on one of the found packets and select "Follow" -> UDP Stream"

This will show you something like this:

The cool thing:

Now leave the above window open, remove the display filter in Wireshark (and apply) go back to the "Follow UDP Stream" window and click on an entry (directly in the text box) - Wireshark will automatically jump to the correct packet and you know where to start your work.

When you have thousands and thousands of packets in your trace you'll probably be happy to find the packets you really want to inspect.

To be continued.... dinner is ready ;)