This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to check number of packets with duplicate IP identification Field

0

Hello All,

I am working on a capture with UDP packet, as a part of problem isolation i need to find if there are any duplicate packets or packet loss. Concerned traffic is passing through multiple service provider / MPLS links and I have sniffer traces from Server as well as Client to conclude on this as we cannot have service provider end sniffer traces for sure :-).

Since concerned application is running on UDP the only way I can think to compare captures is with IP Identification field. I have already noticed that its not been changed by firewall in between.

Here are my queries.

  1. Is there a way to find out HOW MANY PACKETS and WHICH ONE are been sent across with same IP identification number in the capture? Please note, there are no fragmentation i have already checked that using ip.flags.mf==1. So, if there are packets with same identification filed we can conclude there are duplicate packets in network for that source and destination. Once we get the concerned IP.id we can apply filter and conclude on which one and after what duration, after some bps, or tailoring etc etc.

  2. After going through to close to few thousands packet i can notice that IP Identification filed is getting incremented as 1 on every packet like 18700, 18701 etc. I have analyzed that by creating a column. Now I would like to know is there a way to check if any specific IP ID is missing in capture.

I am open to run script if needed.

Regards,

-Deepak

This question is marked "community wiki".

asked 17 Jul '11, 09:34

Deepak's gravatar image

Deepak
31225
accept rate: 25%

One Answer:

0

(1) could probably be solved using MATE. As an example, this is a MATE "script" I used to use to detect SCTP retransmissions (that is, multiple packets with the same TSN number):

   Pdu sctp_pdu Proto sctp Transport ip {
            //Extract addr From ip.addr;
            //Extract port From sctp.port;
            Extract vtag From sctp.verification_tag;
            Extract tsn From sctp.data_tsn;
            //Extract sctp_chunk From sctp.chunk_type;
    };

Gop sctpretrans On sctp_pdu Match (vtag, tsn) {
        Start();
        Stop(never);
};

Done;</code></pre></div><div class="answer-controls post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>answered <strong>19 Jul '11, 10:08</strong></p><img src="https://secure.gravatar.com/avatar/e0564001bb7deb960d5d9d9c1e0ba074?s=32&amp;d=identicon&amp;r=g" class="gravatar" width="32" height="32" alt="JeffMorriss&#39;s gravatar image" /><p><span>JeffMorriss ♦</span><br />



6.2k572

accept rate: 27%