How to find dropped packets via WireShark

Posted on 2013-02-05
Last Modified: 2013-12-06
I hope I selected the correct topics.

I have about 10GB of WireShark PCaP capture files.
Reason I did the capture,  the developers where pointing out to dropped packets from our Vendor who provides Multicast data. they wrote an application to track the sequence numbers and dropped packet.

What commands/filters do i need to apply to just obtain dropped packet count so i can show to the vendor.

Any help would be appreciated.

Thank you.
Question by:z969307
  • 3
  • 2
  • 2
LVL 21

Expert Comment

ID: 38860052
I don't know if wireshark can do what you want, although someone else may.
Wireshark can only analyze packets that it sees.
If they were dropped before getting to the point that it is running then it won't see them. And if it sees them then they weren't dropped.

About the only thing you could do that I know of is capture at the source and compare that to a simultaneous capture at the destination.

Author Comment

ID: 38860296
I have confirmed (via another source) that WireShark is capturing all the data. the packets are getting lost on their way to the application layer leading us to believe the receive buffers are unable to keep up.

Question still remains, how to decode the WireShark data, the app is pretty complicated.
LVL 21

Expert Comment

ID: 38860472
You could start by entering a display filter with the address of the sending station:
ip.addr== for example.

That will show you everything you received from the transmitter.
Then look at the packets to see where the sequence numbered packets that your other application flagged are appearing in the captured data.

If it a single stream you may be able to use the analyze/follow tcp stream to help after clicking on one of the packets in the stream.

If there is something else going on at the time, coming from the network, then note the packet number where the drop occurred and clear the filter and go to that area of the capture to see what is happening around the time of those packets.
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

LVL 57

Expert Comment

ID: 38860774
I'll have to look at some traces I have where I saw dropped packets.

Wireshark does have an advanced anaylsys filter where you can filter to look for duplicate acks (an indication that the far side detected a dropped packet) and prior segment lost based on what Wireshark thinks.

I just don't know the exact check off hand.

Accepted Solution

z969307 earned 0 total points
ID: 38979103
Excuse me for not keeping this updated, I was able to find the answer from an external source :

Display filter for Exchange MC sequence numbers….
Starting at the 12th byte of the data portion of the frame, take the next 4 bytes which is the sequence number.  The 11th byte is also important because it specifies how many messages are in the packet.  Example below:
Reported missing sequence number 13639513 = hex 00d01f59[12:4]=00:d0:1f:59
In order to check a sequence of packets you need to check the 11th byte though, because it indicates how many messages are in the packet (can be 1 or many).  So for instance, if looking at that packet and 11th byte is “09”, then the next sequence number we should see in the capture is 13639522 (hex 00d01f62).
The message sequence numbers are per multicast channel, so each channel must be followed individually to see the sequences.
LVL 57

Expert Comment

ID: 38979630
Great, however if you have a similar problem, or really any problem, you may want to give more a little more detail, like knowing it was Exchange traffic would have helped.

Author Closing Comment

ID: 38993103
Got answer from an External Source.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many network operators, engineers, and administrators do not take several factors into consideration when troubleshooting network throughput and latency issues.  They often  measure the throughput by performing a measurement  by transferring a large…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now