First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Chart gaps between IP ID

I have a UDP stream that increments each packet's IP ID by one. Since this is UDP and I have no way to show packet loss via dup acks or retransmissions I'd like a way to visualize packet loss by seeing gaps between the packets. IE if ip.ids are 5,6,9,10 I could see a loss of 7 packets. Is there any way to chart this in Wireshark?

bhilgenkamp's avatar
1
bhilgenkamp
asked 2019-06-19 15:48:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Please be very careful when using ip.id as an indicator for packet loss. Not all systems use the same algorithm to create ip.id numbers. I (think I) have seen the following patterns over time:

  • one counter for the whole system. IE when other processes are also sending data, then you will have gaps in the ip.id numbers for your specific UDP stream
  • one counter per process. In this case your method will work, but are you sure this method is used by all systems that you want to track?
  • random ip.id numbers. Your method will not work here obviously, do you have control over the sending side so you can be sure this method is not used?
  • 0x0000 for all packets. Your method will not work here obviously, do you have control over the sending side so you can be sure this method is not used?

Are you sure there is not a sequence number used in the payload of the UDP packets? If there is, you might want to write a Lua dissector for this protocol in which you expose the found sequence number to wireshark to filter on. And you can add some logic to determine if there are gaps and/or out-of-order udp packets.

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-07-07 09:00:54 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

No, not really.

You can do this task by different ways. 2 of them I show you.

You can use tshark -> Have a detailed look here https://www.youtube.com/watch?v=gMg8t...

You can use the "File -> Export Packet dissections -> As CSV..." dialog to export the packet pane view to a csv file. After that you can import it into excel and do some sorts or scripting around it....

Christian_R's avatar
2.1k
Christian_R
answered 2019-06-19 16:39:40 +0000, updated 2019-06-19 16:40:05 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Looks like the URL for the YouTube link didn't come through properly. Can you post that again?

bhilgenkamp's avatar bhilgenkamp (2019-06-20 20:59:53 +0000) edit
more
  • delete

I think @Christian_R was linking to my SharkfestUS '19 presentation about using tshark to solve packet challenges (the first part of the video id seems to match).

SYN-bit's avatar SYN-bit (2019-07-07 08:52:39 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer