This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I create filter for dropped packets and display results

0

I am trying to isolate faulty equipment in a network. My idea is that if I can measure dropped packets between various components on the network I can ultimately isolate the bad component by narrowing the beginning and end points of the analysis.

What I don't understand is how to "append a filter to a conversation". There is an answered question about how to create the filter in your database but I can't figure out how to append a filter to a particular conversation.

Example: I create a filter on the conversations that shows me the traffic between a given computer and my router(one conversion). What I think I want to do is then apply the tcp.analysis.lost_segment filter to that particular conversation. Don't know how to do that. If this is something I can do then how would I view the results once the filter is in place?

Thanks for any help you can provide.

asked 14 Mar '13, 02:04

MrBub's gravatar image

MrBub
1112
accept rate: 0%

edited 14 Mar '13, 02:06


One Answer:

2

Well, if you already have a conversation filter in place, you could just put that filter in brackets and add " and tcp.analysis.lost_segment". That will show all packets that are from that conversation as well as having the "lost segment" symptom.

The result will be all packets where Wireshark has determined that there was at least one (or more) segments lost before the frame that is marked with the symptom. If you need to determine how many packets it actually were it may be useful to look for the retransmissions instead. A "lost segment" gap can be more than one packets wide, but each packet has to be retransmitted, so count these instead.

All this works if you are sure that you have no drops, meaning that you capture all packets that have been on the wire. If you have drops (at the capture PC or SPAN port) your calculations will be off.

answered 14 Mar '13, 02:30

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 14 Mar '13, 02:31