Solved

How to find dropped packets via WireShark

Posted on 2013-02-05
7
4,983 Views
Last Modified: 2013-12-06
I hope I selected the correct topics.

I have about 10GB of WireShark PCaP capture files.
Reason I did the capture,  the developers where pointing out to dropped packets from our Vendor who provides Multicast data. they wrote an application to track the sequence numbers and dropped packet.

What commands/filters do i need to apply to just obtain dropped packet count so i can show to the vendor.

Any help would be appreciated.

Thank you.
0
Comment
Question by:z969307
  • 3
  • 2
  • 2
7 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
Comment Utility
I don't know if wireshark can do what you want, although someone else may.
Wireshark can only analyze packets that it sees.
If they were dropped before getting to the point that it is running then it won't see them. And if it sees them then they weren't dropped.

About the only thing you could do that I know of is capture at the source and compare that to a simultaneous capture at the destination.
0
 

Author Comment

by:z969307
Comment Utility
I have confirmed (via another source) that WireShark is capturing all the data. the packets are getting lost on their way to the application layer leading us to believe the receive buffers are unable to keep up.

Question still remains, how to decode the WireShark data, the app is pretty complicated.
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
Comment Utility
You could start by entering a display filter with the address of the sending station:
ip.addr==10.1.2.3 for example.

That will show you everything you received from the transmitter.
Then look at the packets to see where the sequence numbered packets that your other application flagged are appearing in the captured data.

If it a single stream you may be able to use the analyze/follow tcp stream to help after clicking on one of the packets in the stream.

If there is something else going on at the time, coming from the network, then note the packet number where the drop occurred and clear the filter and go to that area of the capture to see what is happening around the time of those packets.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I'll have to look at some traces I have where I saw dropped packets.

Wireshark does have an advanced anaylsys filter where you can filter to look for duplicate acks (an indication that the far side detected a dropped packet) and prior segment lost based on what Wireshark thinks.

I just don't know the exact check off hand.
0
 

Accepted Solution

by:
z969307 earned 0 total points
Comment Utility
Excuse me for not keeping this updated, I was able to find the answer from an external source :

Display filter for Exchange MC sequence numbers….
Starting at the 12th byte of the data portion of the frame, take the next 4 bytes which is the sequence number.  The 11th byte is also important because it specifies how many messages are in the packet.  Example below:
 
Reported missing sequence number 13639513 = hex 00d01f59
 
data.data[12:4]=00:d0:1f:59
 
In order to check a sequence of packets you need to check the 11th byte though, because it indicates how many messages are in the packet (can be 1 or many).  So for instance, if looking at that packet and 11th byte is “09”, then the next sequence number we should see in the capture is 13639522 (hex 00d01f62).
 
The message sequence numbers are per multicast channel, so each channel must be followed individually to see the sequences.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Great, however if you have a similar problem, or really any problem, you may want to give more a little more detail, like knowing it was Exchange traffic would have helped.
0
 

Author Closing Comment

by:z969307
Comment Utility
Got answer from an External Source.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now