How to find dropped packets via WireShark

Posted on 2013-02-05
Medium Priority
Last Modified: 2013-12-06
I hope I selected the correct topics.

I have about 10GB of WireShark PCaP capture files.
Reason I did the capture,  the developers where pointing out to dropped packets from our Vendor who provides Multicast data. they wrote an application to track the sequence numbers and dropped packet.

What commands/filters do i need to apply to just obtain dropped packet count so i can show to the vendor.

Any help would be appreciated.

Thank you.
Question by:z969307
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 21

Expert Comment

ID: 38860052
I don't know if wireshark can do what you want, although someone else may.
Wireshark can only analyze packets that it sees.
If they were dropped before getting to the point that it is running then it won't see them. And if it sees them then they weren't dropped.

About the only thing you could do that I know of is capture at the source and compare that to a simultaneous capture at the destination.

Author Comment

ID: 38860296
I have confirmed (via another source) that WireShark is capturing all the data. the packets are getting lost on their way to the application layer leading us to believe the receive buffers are unable to keep up.

Question still remains, how to decode the WireShark data, the app is pretty complicated.
LVL 21

Expert Comment

ID: 38860472
You could start by entering a display filter with the address of the sending station:
ip.addr== for example.

That will show you everything you received from the transmitter.
Then look at the packets to see where the sequence numbered packets that your other application flagged are appearing in the captured data.

If it a single stream you may be able to use the analyze/follow tcp stream to help after clicking on one of the packets in the stream.

If there is something else going on at the time, coming from the network, then note the packet number where the drop occurred and clear the filter and go to that area of the capture to see what is happening around the time of those packets.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 57

Expert Comment

ID: 38860774
I'll have to look at some traces I have where I saw dropped packets.

Wireshark does have an advanced anaylsys filter where you can filter to look for duplicate acks (an indication that the far side detected a dropped packet) and prior segment lost based on what Wireshark thinks.

I just don't know the exact check off hand.

Accepted Solution

z969307 earned 0 total points
ID: 38979103
Excuse me for not keeping this updated, I was able to find the answer from an external source :

Display filter for Exchange MC sequence numbers….
Starting at the 12th byte of the data portion of the frame, take the next 4 bytes which is the sequence number.  The 11th byte is also important because it specifies how many messages are in the packet.  Example below:
Reported missing sequence number 13639513 = hex 00d01f59
In order to check a sequence of packets you need to check the 11th byte though, because it indicates how many messages are in the packet (can be 1 or many).  So for instance, if looking at that packet and 11th byte is “09”, then the next sequence number we should see in the capture is 13639522 (hex 00d01f62).
The message sequence numbers are per multicast channel, so each channel must be followed individually to see the sequences.
LVL 57

Expert Comment

ID: 38979630
Great, however if you have a similar problem, or really any problem, you may want to give more a little more detail, like knowing it was Exchange traffic would have helped.

Author Closing Comment

ID: 38993103
Got answer from an External Source.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
In this article, we’ll look at how to deploy ProxySQL.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question