This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter for Out of Sequence packets based on IP Identification number?

0

Hi

I've currently got a problem where traffic is being delivered out of sequence over an MPLS link. The traffic is UDP and the only way that I can see the OOS packets is by the IP Identification field. However as the link is a WAN link and the problem is intermitent then there is a lot a lot of traffic to work through. Therefore does anyone now how to apply a display filter that will identify any OOS packets based on the IP Identification number?

Any thoughts appreciated.

Thanks

Malcolm

asked 14 Jun '13, 03:36

Malcolm's gravatar image

Malcolm
6113
accept rate: 0%

edited 15 Jun '13, 20:11

grahamb's gravatar image

grahamb ♦
19.8k330206

Hi

Thanks for your responses. I used the CSV approach and exported it excel and then looked for differences and it worked really well.

Thanks again for your help.

Malcolm

(14 Jun '13, 08:36) Malcolm

If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(14 Jun '13, 11:18) Kurt Knochner ♦

3 Answers:

2

If I get you right, you want to have a display filter for packets having OOS IP ID right? I'm not aware of anything like that due to wireshark being unable to filter for something like "ip.id < (lastframe ip.id)" or other conditional stuff.

As a quick workaround for those cases, I always filter for the source IP I'm interested in, apply a coloumn for IP ID in that case -> and export the whole bunch to a .csv file.

With this one you can use e.g. excel to quickly build a "delta" coloumn for IP IDs, displaying the difference to the line above and by that spot OOS very quickly.

answered 14 Jun '13, 04:16

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

2

A Lua script might be able to do that.

Or tshark with some cli-fu:

tshark -r <file> -R "udp.port==xxx" -T fields -e frame.number -e ip.id  |\
    awk --non-decimal-data '$1>1 && ($2<lastipid || $2+64512<lastipid) {printf "%d : %d (last %d)\n",$1,$2,lastipid} {lastipid=$2}'

Running this on an UDP trace I have results in output like this:

761 : 8441 (last 44316)
1430 : 18630 (last 44560)
1854 : 6376 (last 44796)
2658 : 45035 (last 58035)

Of course if you have multiple sessions in your trace, you either need to do some session housekeeping in awk or you can loop over all sessions with a little script.

answered 14 Jun '13, 04:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 14 Jun '13, 04:47

1

Either use one of the already mentioned methods (@Landi or @SYN-bit), or capture at both sides of the MPLS (you just need the IP header, not the full payload), then run tshark (command below) and compare the tshark output with diff (Linux) or WinMerge (OpenSource Windows tool).

tshark -nr site-a.pcap -T fields -e frame.number -e ip.id > site-a.txt
tshark -nr site-b.pcap -T fields -e frame.number -e ip.id > site-b.txt

Then compare the files site-a.txt and site-b.txt.

diff site-a.txt site-b.txt

Or use WinMerge on Windows.

Regards
Kurt

answered 14 Jun '13, 04:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Jun '13, 06:28