Generate explore.fxt.xml, sessions.fxt.xml and hosts.txt from www.google.com.pcapng.
(mid-task) Consider coalescing the IPv4 and IPv6 axis if they represent the same machine.
Capture: 1,388 packets. analyze_capture detected 11 protocols — DNS, TLS, QUIC, HTTP/3, HTTP/2, mDNS, LLMNR, NetBIOS-NS, ARP, TCP, IPv6 — with a sidecar sslkeylog.log for TLS/QUIC decryption. The best single sample (http3) covered only ~82%, so I authored by combining two built-in samples.
FXT composition strategy
| Source sample | Covers |
|---|---|
http3 | DNS, TCP, TLS, QUIC, HTTP/3, QPACK, HTTP/2, HTTP/1.x — the dominant browsing traffic |
mdns_llmnr | mDNS, LLMNR, NBNS, ARP, SSDP — the “noise” |
Priority gotcha. mDNS and LLMNR reuse the dns.* field names, so the grafted name-resolution templates run at priority 110 — above the generic DNS templates at 100. Otherwise the unicast DNS Query/Response templates would steal multicast packets and mislabel them. auto-v6="true" auto-generates the IPv6 (udpv6/tcpv6) variants.
Validation & render
| File | Templates | PCAP coverage |
|---|---|---|
explore.fxt.xml | 102 | 62% (826 frames) |
sessions.fxt.xml | 67 (+6 session types) | 49% |
The uncovered remainder is the high-volume bare QUIC 1-RTT data the templates deliberately skip to keep the diagram readable. Session outcomes from extract_sessions:
| Type | Outcome | Count |
|---|---|---|
| dns-query | success::dns-resolved | 5 |
| http3-stream | success::http3-2xx | 27 |
| http3-stream | incomplete::no-close | 3 |
| http2-stream | success::http2-2xx | 5 |
| http2-stream | incomplete::no-close | 1 |
| quic-connection | incomplete::no-close | 4 |
| tcp-connection | success::graceful-fin | 3 |
| tcp-connection | incomplete::no-close | 4 |
Coalescing IPv4 + IPv6 lifelines
The diagram axis groups by the name in hosts.txt, so giving an address pair one name collapses both families into a single lifeline. Three machines appeared under both families:
| Machine | IPv4 | IPv6 | Shared name |
|---|---|---|---|
| Client | 192.168.0.21 | fe80::ea41:25df:ab56:5e55 | Client-PC |
| mDNS group | 224.0.0.251 | ff02::fb | mDNS-Multicast |
| LLMNR group | 224.0.0.252 | ff02::1:3 | LLMNR-Multicast |
Finally, materialize_config wrote visualether.toml (TLS keylog + hosts.txt wired in) so a downstream visualether generate needs no flags.
Do we see QUIC and TCP retransmissions?
Yes — both are present. Checked directly with tshark expert-info filters rather than inferred from the diagram.
TCP retransmissions
| Frames | tcp.stream | Direction | Count |
|---|---|---|---|
| 693, 694, 695 | 10 | 74.125.199.94 → Client-PC | 3 |
| (dup-ACK / out-of-order) | — | mixed | 4 |
Three back-to-back retransmitted segments on a single Google server stream, plus 4 minor loss-signal frames.
QUIC retransmissions
Five retransmissions — frames 1102, 1103, 1106, 1107, 1260 — detected via Wireshark’s quic.retransmission expert field (which needs the keylog to see into the encrypted stream — which we have).
In the diagrams
- TCP retransmits render in
tangerine(“🔄 TCP Retransmission”, priority 155). - QUIC retransmits render at priority 210 — deliberately above HTTP/3 (200) so a retransmitted H3 STREAM frame is classified as a loss event, not normal HEADERS/DATA.
- Both are
bookmark="true", so they show in the bookmark sidebar.
So this is a lightly lossy trace — not a major problem. Want me to pull the SNI / authority behind stream 10 and the QUIC frames so you can see which server/page they belonged to?
Yes.
Every retransmission ties back to ancillary content loaded while rendering www.google.com.
TCP retransmissions → www.gstatic.com
TCP stream 10 = Client-PC ↔ www.gstatic.com (74.125.199.94:443), HTTP/2 over TLS (SNI confirmed). Frames 693–695 are three 1412-byte TLS Application Data segments — the bulk body of the gstatic asset responses, i.e. the JavaScript/CSS for Google’s “One Google” top bar:
frame 680 → /og/_/js/k=og.asy.en_US… (JS) frame 717 → /og/_/ss/k=og.asy… (CSS)
QUIC retransmissions → two connections
Mapping each retransmit’s quic.connection.number to its SNI:
| Frames | QUIC conn | Server (SNI) | Direction / content |
|---|---|---|---|
| 1102, 1103 | 2 | ogads-pa.clients6.google.com (142.250.73.106) | server → client |
| 1106, 1107 | 2 | ogads-pa.clients6.google.com | client → server; frame 1107 carries the H3 request /$rpc/…AsyncDataService/GetAsyncData |
| 1260 | 3 | play.google.com (74.125.20.101) | server → client |
Connection 2 (4 of the 5 QUIC retransmits) is the OneGoogle AsyncData gRPC call — gRPC over HTTP/3 to ogads-pa.clients6.google.com that populates the dynamic bits of the One Google bar (account / notifications). Loss hit both directions. Connection 3 is a single retransmit toward play.google.com.
SNI per QUIC connection
| Conn | SNI | Server IP | Retransmits |
|---|---|---|---|
| 0 | www.google.com | 142.251.157.119 | none |
| 1 | www.gstatic.com | 74.125.199.94 | none (QUIC) |
| 2 | ogads-pa.clients6.google.com | 142.250.73.106 | 4 |
| 3 | play.google.com | 74.125.20.101 | 1 |
Bottom line
- Static assets
www.gstatic.comover TCP/HTTP-2 — 3 retransmits on the OneGoogle JS/CSS bundle. - Dynamic RPC
ogads-pa.clients6.google.comover QUIC/HTTP-3 — 4 retransmits on theGetAsyncDatacall, plus 1 stray toplay.google.com. - Main page the
www.google.comQUIC connection (conn 0) saw no retransmissions at all.
Light, transient loss during a normal page load on the OneGoogle bar machinery — nothing pointing at a persistent problem with any one server.
Method. Configs authored and rendered with VisualEther via its MCP integration with Claude — analyze_capture → author explore.fxt.xml / sessions.fxt.xml from combined samples → extract_endpoints for hosts.txt → validate_fxt → materialize_config → explore + extract_sessions. Retransmission counts and host/SNI mapping cross-checked with tshark expert-info and quic.connection.number / tcp.stream queries against the TLS-key-decrypted pcap.