This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you disable wireshark relative sequence numbers with RPCAP and UDP encapsulation?

We have recently developed a remote packet capture tool in the form of an SFP that can be plugged into a switch, router or NID. It is capable of bi-directional capture of traffic with 5 tuple filters at line rate. It then adds meta data such as hardware based timestamp, sequence number and length and optionally truncates packets before forwarding as UDP to wireshark using RPCAP protocol.

Wireshark replaces the original sequence numbers with its own. I see there is a feature with TCP encapsulation to disable Wireshark relative sequence numbers and use the original ones. Is there something equivalent with UDP encapsulation?

capture rpcap remote sfp packet

asked 26 Apr '16, 16:46

Eitan
6●1●1●3
accept rate: 0%

What do you mean by sequence numbers with reference to UDP?

(27 Apr '16, 02:39) grahamb ♦

2 Answers:

For RPCAP-over-TCP, the sequence numbers are TCP sequence numbers, and the TCP dissector can either display them as the raw sequence numbers in the packet or as sequence numbers relative to the initial sequence number.

For RPCAP-over-UDP, the sequence numbers are RPCAP sequence numbers, as UDP has no sequence numbers. If you're dissecting the RPCAP protocol, they're always displayed as the raw sequence number.

However, if by "Wireshark's relative sequence number" you're referring to the packet number column:

If you're dissecting a local capture that includes RPCAP packets, the packet number column will, as is always the case in Wireshark, be the ordinal number of the packet as seen by Wireshark; not all packets in such a capture are necessarily RPCAP packets, so it makes no sense to use the RPCAP sequence number. You could add the RPCAP sequence number as a custom column. If your sequence number is separate from RPCAP-over-UDP's sequence number, and you want to display that as a column, you could add that as a custom column.

If you have a remote capture taken using RPCAP, the RPCAP sequence number has been discarded, and there's no way to display it.

answered 27 Apr '16, 11:28

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

Thanks Guy,

Appreciate the explanation. Also learnt today from our system engineering that they found the following work around to see the RPCAP sequence number:
1. Open 1st Wireshark capture on the local PC port
2. Open a 2nd Wireshark and capture from remote smart SFP
3. Look in 1st Wireshark with display filter set to “rpcap and udp”, look for field “rpcap frame number” (this will display the RPCAP packets with the RPCAP encapsulation)

answered 27 Apr '16, 23:03

Eitan
6●1●1●3
accept rate: 0%