z969307
asked on
How to find dropped packets via WireShark
I hope I selected the correct topics.
I have about 10GB of WireShark PCaP capture files.
Reason I did the capture, the developers where pointing out to dropped packets from our Vendor who provides Multicast data. they wrote an application to track the sequence numbers and dropped packet.
What commands/filters do i need to apply to just obtain dropped packet count so i can show to the vendor.
Any help would be appreciated.
Thank you.
I have about 10GB of WireShark PCaP capture files.
Reason I did the capture, the developers where pointing out to dropped packets from our Vendor who provides Multicast data. they wrote an application to track the sequence numbers and dropped packet.
What commands/filters do i need to apply to just obtain dropped packet count so i can show to the vendor.
Any help would be appreciated.
Thank you.
ASKER
I have confirmed (via another source) that WireShark is capturing all the data. the packets are getting lost on their way to the application layer leading us to believe the receive buffers are unable to keep up.
Question still remains, how to decode the WireShark data, the app is pretty complicated.
Question still remains, how to decode the WireShark data, the app is pretty complicated.
You could start by entering a display filter with the address of the sending station:
ip.addr==10.1.2.3 for example.
That will show you everything you received from the transmitter.
Then look at the packets to see where the sequence numbered packets that your other application flagged are appearing in the captured data.
If it a single stream you may be able to use the analyze/follow tcp stream to help after clicking on one of the packets in the stream.
If there is something else going on at the time, coming from the network, then note the packet number where the drop occurred and clear the filter and go to that area of the capture to see what is happening around the time of those packets.
ip.addr==10.1.2.3 for example.
That will show you everything you received from the transmitter.
Then look at the packets to see where the sequence numbered packets that your other application flagged are appearing in the captured data.
If it a single stream you may be able to use the analyze/follow tcp stream to help after clicking on one of the packets in the stream.
If there is something else going on at the time, coming from the network, then note the packet number where the drop occurred and clear the filter and go to that area of the capture to see what is happening around the time of those packets.
I'll have to look at some traces I have where I saw dropped packets.
Wireshark does have an advanced anaylsys filter where you can filter to look for duplicate acks (an indication that the far side detected a dropped packet) and prior segment lost based on what Wireshark thinks.
I just don't know the exact check off hand.
Wireshark does have an advanced anaylsys filter where you can filter to look for duplicate acks (an indication that the far side detected a dropped packet) and prior segment lost based on what Wireshark thinks.
I just don't know the exact check off hand.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Great, however if you have a similar problem, or really any problem, you may want to give more a little more detail, like knowing it was Exchange traffic would have helped.
ASKER
Got answer from an External Source.
Wireshark can only analyze packets that it sees.
If they were dropped before getting to the point that it is running then it won't see them. And if it sees them then they weren't dropped.
About the only thing you could do that I know of is capture at the source and compare that to a simultaneous capture at the destination.