This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

count of loss packets in the network

0

I´m using wireshark for study the traffic between a client and a server in my own machine. I study the traffic on the interface lo and after I study the traffic on the network (client and server in separate machines) on the interface eth0 I always see the conversations in stadistics for study the number of packets sent and received by client and server and I always obtain the same number for sent and received, I mean, I can´t see the number of loss packets in the network??Becuase I tried with putting loss packets and always obtain the same number for packets sents and for packets received..how can I see the number of loss packets??Because all packets server sent cannot arrive to the client...Maybe I´m doing something wrong or I don´t understand well how works wireshark??

Thank you very much for your help!

asked 15 Dec '10, 13:24

Susana26's gravatar image

Susana26
1222
accept rate: 0%

If you captured on the sending and receiving hosts, you will see a difference in the number of packets. For example, if you're sending from A -> B, and the loss is in the direction from A -> B, and you're capturing on both, you'll see the packet leave A but never arrive at B. Are you capturing on both sides?

(15 Dec '10, 15:34) hansangb

Thanks for your replies. How I have to do to capture in both sides?I didn´t do anything more than start the capture and see the traffic that is in both sides.And in convewrsations I can see the traffic from A -> B and from B->A and always the packets received is the same than the sent. Where I have to put that capture ib both sides?

What I´m doing is sending udp traffic between a client and a server. More send udp packets but there are much more traffic from the server becausae his always send a file divided in smaller packets. I don´t put any special to do the capture and I studied the packets sent and received in stadistics->conversations. But is what I don´t understand. For one experiments I force that packets losses in the network. The traffic from sewrver to the cliente increases comparring with the normal situation but always the number of packets received in B is the same than the packets sent by A. Is what I don´t understand well. Maybe I have to select some option in wireshark..I´m new in it sorry..

But if you could help me..

(16 Dec '10, 00:41) Susana26

And another thing. The packets that appear dropeed in the status bar, are pakcets that are sent by because of my machine I can not process so wireshark can not count and manage it? VBefore I told you that I wath the results in Stadistics ->Conversations but really I take the results from Stadistics -> Endpointsa where appears the number of packets sent and received by each part that takes part in the communication. I´m wrong? Thank you!!!

(16 Dec '10, 02:36) Susana26

5 Answers:

0

You really cannot see a lost packet. You can only detect it has occurred based on behavior in an upper layer protocol like TCP. Alternatively, you can gather traffic on two endpoints and make a comparison. With that being said, please let me know more specifically how you are capturing and analyzing traffic, what you are trying to understand through your analysis and what type of traffic you are looking at.

answered 15 Dec '10, 15:05

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

0

How I have to do to capture in both sides?I didn´t do anything more than start the capture and see the traffic that is in both sides.And in conversations I can see the traffic from A -> B and from B->A and always the packets received is the same than the sent. Where I have to put that capture ib both sides?

What I was saying here is if you copy traffic on or near A and on or near B. If the same packets are in both captures then there is very likely no loss of packets. If the packets from A > B is always equal to the packets from B > A, that sort of indicates that it is a symmetric or at least somewhat predictable protocol.

What I´m doing is sending udp traffic between a client and a server. More send udp packets but there are much more traffic from the server becausae his always send a file divided in smaller packets. I don´t put any special to do the capture and I studied the packets sent and received in stadistics->conversations. But is what I don´t understand. For one experiments I force that packets losses in the network. The traffic from sewrver to the cliente increases comparring with the normal situation but always the number of packets received in B is the same than the packets sent by A. Is what I don´t understand well. Maybe I have to select some option in wireshark..I´m new in it sorry..

Since we are talking about UDP, there's not a lot in the protocol itself that could tell us if packets are being dropped or not. So what we have to do is think about the UDP payload, which would be the protocols in the Session, Presentation, and Application layers (of the OSI model). I guess the thing I am getting at is exactly how should wireshark tell us if there are missing packets? From a wire perspective, we would generally either see a gap in communication (downstream from what's causing the drops) or we would see retransmits (if we are up stream from what is causing the drops). In TCP, we have sequence numbers that we can determine if our capture is in one of those two locations. In UDP, we have no sequence numbers, so we have to know about the protocol in the payload, or compare our capture to a capture that was on the other side of a device causing the drops. Make sense?

answered 16 Dec '10, 02:45

Paul%20Stewart's gravatar image

Paul Stewart
3018
accept rate: 6%

Thanks for your replay Paul but I don´t understand very well what you mean.

What I was saying here is if you copy traffic on or near A and on or near B. If the same packets are in both captures then there is very likely no loss of packets. If the packets from A > B is always equal to the packets from B > A, that sort of indicates that it is a symmetric or at least somewhat predictable protocol.

Yes, I can see in Stadistics-> Endpoints that the packets sent by A are the same than the packets received by B but there is loss packets because I introduce it. I can see how the number of packets increases compared to the situation where there is no traffic loss but I cannot understand why the number of packets received by B is the same sent by A when I´m make that there are loss packets.

Since we are talking about UDP, there's not a lot in the protocol itself that could tell us if packets are being dropped or not. So what we have to do is think about the UDP payload, which would be the protocols in the Session, Presentation, and Application layers (of the OSI model). I guess the thing I am getting at is exactly how should wireshark tell us if there are missing packets? From a wire perspective, we would generally either see a gap in communication (downstream from what's causing the drops) or we would see retransmits (if we are up stream from what is causing the drops). In TCP, we have sequence numbers that we can determine if our capture is in one of those two locations. In UDP, we have no sequence numbers, so we have to know about the protocol in the payload, or compare our capture to a capture that was on the other side of a device causing the drops. Make sense?

Sorry but I don´t understand very well this. I´m working with UDP traffic but I have the same problem for TCP traffic. I force a taffic loss but I always see the same number of packets received than sent. What sense has this?I can´t see the number of loss packets with wireshark??

Thanks a lot for your help!!

(21 Dec '10, 05:05) Susana26

0

Most well-designed protocols that use UDP as transport have some sort of identification or sequence number - if the application needs to be aware of lost datagrams. If you look at the specs for DNS or RTP or SNMP you will find this. Wireshark does track some of these identifiers - for instance it can report on lost RTP packets.

Also note that the IP header also has an ID. Usually a machine will increment this for each IP packet it sends. If you know that your sender is only sending traffic to one destination you may be able to make use of this.

answered 21 Dec '10, 16:59

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

0

I would also love to know how to count the number of lost packets with regard to sending so if I run tshark, or wireshark, I can see a lost packet for example when it sends the SYN and never gets the SYN,ACK so it resends the SYN again. Is there a way to get a count of all lost packets from the sender where it had to resend? Then, I can just run this on both sides to get the total number of lost packets between two machines.

I am currently running on EC2 and am seeing I think major packet loss but not sure how to count the number. Anyone know how to count the number of resends from one end to get the number lost?

(or maybe there is a script out there that can take tshark input and spit out number of packets resent).

thanks, Dean

answered 02 Sep '11, 11:53

Dean%20Hiller's gravatar image

Dean Hiller
1
accept rate: 0%

0

How to get a count of resent packets? (same thing as lost packets in the one direction without counting lost packets in the oppossite direction of course)

answered 20 Sep '11, 02:46

Dean%20Hiller's gravatar image

Dean Hiller
1
accept rate: 0%