I´m using wireshark for study the traffic between a client and a server in my own machine. I study the traffic on the interface lo and after I study the traffic on the network (client and server in separate machines) on the interface eth0 I always see the conversations in stadistics for study the number of packets sent and received by client and server and I always obtain the same number for sent and received, I mean, I can´t see the number of loss packets in the network??Becuase I tried with putting loss packets and always obtain the same number for packets sents and for packets received..how can I see the number of loss packets??Because all packets server sent cannot arrive to the client...Maybe I´m doing something wrong or I don´t understand well how works wireshark??
Thank you very much for your help!
asked 15 Dec '10, 13:24
You really cannot see a lost packet. You can only detect it has occurred based on behavior in an upper layer protocol like TCP. Alternatively, you can gather traffic on two endpoints and make a comparison. With that being said, please let me know more specifically how you are capturing and analyzing traffic, what you are trying to understand through your analysis and what type of traffic you are looking at.
answered 15 Dec '10, 15:05
What I was saying here is if you copy traffic on or near A and on or near B. If the same packets are in both captures then there is very likely no loss of packets. If the packets from A > B is always equal to the packets from B > A, that sort of indicates that it is a symmetric or at least somewhat predictable protocol.
Since we are talking about UDP, there's not a lot in the protocol itself that could tell us if packets are being dropped or not. So what we have to do is think about the UDP payload, which would be the protocols in the Session, Presentation, and Application layers (of the OSI model). I guess the thing I am getting at is exactly how should wireshark tell us if there are missing packets? From a wire perspective, we would generally either see a gap in communication (downstream from what's causing the drops) or we would see retransmits (if we are up stream from what is causing the drops). In TCP, we have sequence numbers that we can determine if our capture is in one of those two locations. In UDP, we have no sequence numbers, so we have to know about the protocol in the payload, or compare our capture to a capture that was on the other side of a device causing the drops. Make sense?
answered 16 Dec '10, 02:45
Most well-designed protocols that use UDP as transport have some sort of identification or sequence number - if the application needs to be aware of lost datagrams. If you look at the specs for DNS or RTP or SNMP you will find this. Wireshark does track some of these identifiers - for instance it can report on lost RTP packets.
Also note that the IP header also has an ID. Usually a machine will increment this for each IP packet it sends. If you know that your sender is only sending traffic to one destination you may be able to make use of this.
answered 21 Dec '10, 16:59
I would also love to know how to count the number of lost packets with regard to sending so if I run tshark, or wireshark, I can see a lost packet for example when it sends the SYN and never gets the SYN,ACK so it resends the SYN again. Is there a way to get a count of all lost packets from the sender where it had to resend? Then, I can just run this on both sides to get the total number of lost packets between two machines.
I am currently running on EC2 and am seeing I think major packet loss but not sure how to count the number. Anyone know how to count the number of resends from one end to get the number lost?
(or maybe there is a script out there that can take tshark input and spit out number of packets resent).
answered 02 Sep '11, 11:53
How to get a count of resent packets? (same thing as lost packets in the one direction without counting lost packets in the oppossite direction of course)
answered 20 Sep '11, 02:46