Hi, I'm trying to examine packet loss of tcp of wireless. I start a capture and filter the results with the express "ip.addr=={my ip address} and tcp". This works, but every packet displayed shows some sort of error in it (TCP checksum incorrect, Malformed packet, TCP previous segment not captured, etc). I have yet to see a packet come through with out any of these tags. Am I unknowingly applying some filter that only shows these results? Also, is there a way to see if packets are being dropped due to timeouts or packet reordering? I would also like to see packets at the data link layer. Is this possible through wireshark? Lastly, I would like to save the results shown in the main panel to a text file to do some parsing (for input into a python program). What format should I be saving the capture as? Thanks, Andy EDIT: I've included a picture of all what my screen typically looks like when capturing: asked 01 Dec '13, 14:42  wolvie964 edited 02 Dec '13, 14:07  Guy Harris ♦♦ |
One Answer:
To answer a few of the questions: The "bad checksum" error is 99.99999% of the time just a false alarm. Go to Edit > Preferences > Protoocls, and under IPv4 and TCP disable the checksum check to get rid of it. The reason you see that is because Wireshark is seeing the packet before the checksum is actually getting calculated (so you'll see errors on the packets that your own machine is sending, but those errors aren't real). Wireshark can dissect at the datalink layer, yes. That's usually the level it goes to, if for example you simply open a live packet capture on an Ethernet interface. For the export to text question, yes. Depending on Wireshark version (assuming the latest), that would be File > Export Packet Dissections > as "Plain Text" file, and set the packet range to "Displayed" to push just the packets matching the current display filter to text. For the last question on TCP warnings, where you're getting acks for segments not seen in trace file I guess my question is how this packet capture was produced? That error can mean that Wireshark did not receive some of the packets in the TCP stream which actually happened, though out-of-order packets as they're received by the analyzer can cause some of these error types as well. For the question on whether it's possible to see whether packets are being dropped due to timeouts, at what layer are you referring? answered 01 Dec '13, 19:02  Quadratic Thank you for the response Quadratic. I'm interested in timeouts in the transport layer (retransmission timeout). Thanks, Andy (02 Dec '13, 01:19) wolvie964 |
I've figured out the saving part. I was doing Save as instead of Export Packet Dissections.