[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


How to find dropped packets via WireShark

Posted on 2013-02-05
Medium Priority
Last Modified: 2013-12-06
I hope I selected the correct topics.

I have about 10GB of WireShark PCaP capture files.
Reason I did the capture,  the developers where pointing out to dropped packets from our Vendor who provides Multicast data. they wrote an application to track the sequence numbers and dropped packet.

What commands/filters do i need to apply to just obtain dropped packet count so i can show to the vendor.

Any help would be appreciated.

Thank you.
Question by:z969307
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 21

Expert Comment

ID: 38860052
I don't know if wireshark can do what you want, although someone else may.
Wireshark can only analyze packets that it sees.
If they were dropped before getting to the point that it is running then it won't see them. And if it sees them then they weren't dropped.

About the only thing you could do that I know of is capture at the source and compare that to a simultaneous capture at the destination.

Author Comment

ID: 38860296
I have confirmed (via another source) that WireShark is capturing all the data. the packets are getting lost on their way to the application layer leading us to believe the receive buffers are unable to keep up.

Question still remains, how to decode the WireShark data, the app is pretty complicated.
LVL 21

Expert Comment

ID: 38860472
You could start by entering a display filter with the address of the sending station:
ip.addr== for example.

That will show you everything you received from the transmitter.
Then look at the packets to see where the sequence numbered packets that your other application flagged are appearing in the captured data.

If it a single stream you may be able to use the analyze/follow tcp stream to help after clicking on one of the packets in the stream.

If there is something else going on at the time, coming from the network, then note the packet number where the drop occurred and clear the filter and go to that area of the capture to see what is happening around the time of those packets.
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

LVL 57

Expert Comment

ID: 38860774
I'll have to look at some traces I have where I saw dropped packets.

Wireshark does have an advanced anaylsys filter where you can filter to look for duplicate acks (an indication that the far side detected a dropped packet) and prior segment lost based on what Wireshark thinks.

I just don't know the exact check off hand.

Accepted Solution

z969307 earned 0 total points
ID: 38979103
Excuse me for not keeping this updated, I was able to find the answer from an external source :

Display filter for Exchange MC sequence numbers….
Starting at the 12th byte of the data portion of the frame, take the next 4 bytes which is the sequence number.  The 11th byte is also important because it specifies how many messages are in the packet.  Example below:
Reported missing sequence number 13639513 = hex 00d01f59
In order to check a sequence of packets you need to check the 11th byte though, because it indicates how many messages are in the packet (can be 1 or many).  So for instance, if looking at that packet and 11th byte is “09”, then the next sequence number we should see in the capture is 13639522 (hex 00d01f62).
The message sequence numbers are per multicast channel, so each channel must be followed individually to see the sequences.
LVL 57

Expert Comment

ID: 38979630
Great, however if you have a similar problem, or really any problem, you may want to give more a little more detail, like knowing it was Exchange traffic would have helped.

Author Closing Comment

ID: 38993103
Got answer from an External Source.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question