This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to isolate faulty equipment in a network. My idea is that if I can measure dropped packets between various components on the network I can ultimately isolate the bad component by narrowing the beginning and end points of the analysis.

What I don't understand is how to "append a filter to a conversation". There is an answered question about how to create the filter in your database but I can't figure out how to append a filter to a particular conversation.

Example: I create a filter on the conversations that shows me the traffic between a given computer and my router(one conversion). What I think I want to do is then apply the tcp.analysis.lost_segment filter to that particular conversation. Don't know how to do that. If this is something I can do then how would I view the results once the filter is in place?

Thanks for any help you can provide.

asked 14 Mar '13, 02:04

MrBub's gravatar image

MrBub
1112
accept rate: 0%

edited 14 Mar '13, 02:06


Well, if you already have a conversation filter in place, you could just put that filter in brackets and add " and tcp.analysis.lost_segment". That will show all packets that are from that conversation as well as having the "lost segment" symptom.

The result will be all packets where Wireshark has determined that there was at least one (or more) segments lost before the frame that is marked with the symptom. If you need to determine how many packets it actually were it may be useful to look for the retransmissions instead. A "lost segment" gap can be more than one packets wide, but each packet has to be retransmitted, so count these instead.

All this works if you are sure that you have no drops, meaning that you capture all packets that have been on the wire. If you have drops (at the capture PC or SPAN port) your calculations will be off.

permanent link

answered 14 Mar '13, 02:30

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 14 Mar '13, 02:31

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8

question asked: 14 Mar '13, 02:04

question was seen: 31,221 times

last updated: 14 Mar '13, 02:31

p​o​w​e​r​e​d by O​S​Q​A