Can I write a filter to locate sequence number inconsistencies?

Question

Consider the following. I believe that one of my rouers is failing to pass an ICMP response back very intermittently (maybe 1:10,000). While I do not care about the ICMP packets themselves this issue is causing intermittent transmission failure.

What I have been doing is runnning a capture for a period of time and checking the sequence number for skips. So far this is the only way I have been able to confirm that this is happening.

example:
icmp.seq == 18
icmp.seq == 19
icmp.seq == 20
icmp.seq == 22 <--Sequence break

I'd like to be able to write a filter or batch file or something that would look for these automatically so I dont have to spend as much time doing it myself. Any thoughts or advice would be much appreciated.

Thank you so much.

Answer 1

you can use this command:

tshark -r icmp.cap -R "ip.src == x.x.x.x" -T fields -e frame.number -eip.src -e icmp.seq -E header=y -E separator=;

Output will be:

frame.number;ip.src;icmp.seq
1;x.x.x.x;10
3;x.x.x.x;11
5;x.x.x.x;12
7;x.x.x.x;13
9;x.x.x.x;15
11;x.x.x.x;16

Then write a script to calculate the difference of the SEQ numbers. Whenever the SEQ number is > 1 you might have found a missing ICMP packet. Please consider packets arriving out of order, even if it may be unlikely!

Instead of a script, you can also use MS Excel. Import the output as CSV and calculate the SUM in column E2: =SUM(C2-C1), E3: =SUM(C3-C2). Then duplicate that formula to all other columns in E (click and drag - see Excel manual).

Regards
Kurt