This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have recently developed a remote packet capture tool in the form of an SFP that can be plugged into a switch, router or NID. It is capable of bi-directional capture of traffic with 5 tuple filters at line rate. It then adds meta data such as hardware based timestamp, sequence number and length and optionally truncates packets before forwarding as UDP to wireshark using RPCAP protocol.

Wireshark replaces the original sequence numbers with its own. I see there is a feature with TCP encapsulation to disable Wireshark relative sequence numbers and use the original ones. Is there something equivalent with UDP encapsulation?

asked 26 Apr '16, 16:46

Eitan's gravatar image

Eitan
6113
accept rate: 0%

What do you mean by sequence numbers with reference to UDP?

(27 Apr '16, 02:39) grahamb ♦

For RPCAP-over-TCP, the sequence numbers are TCP sequence numbers, and the TCP dissector can either display them as the raw sequence numbers in the packet or as sequence numbers relative to the initial sequence number.

For RPCAP-over-UDP, the sequence numbers are RPCAP sequence numbers, as UDP has no sequence numbers. If you're dissecting the RPCAP protocol, they're always displayed as the raw sequence number.

However, if by "Wireshark's relative sequence number" you're referring to the packet number column:

If you're dissecting a local capture that includes RPCAP packets, the packet number column will, as is always the case in Wireshark, be the ordinal number of the packet as seen by Wireshark; not all packets in such a capture are necessarily RPCAP packets, so it makes no sense to use the RPCAP sequence number. You could add the RPCAP sequence number as a custom column. If your sequence number is separate from RPCAP-over-UDP's sequence number, and you want to display that as a column, you could add that as a custom column.

If you have a remote capture taken using RPCAP, the RPCAP sequence number has been discarded, and there's no way to display it.

permanent link

answered 27 Apr '16, 11:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Guy,

Appreciate the explanation. Also learnt today from our system engineering that they found the following work around to see the RPCAP sequence number:
1. Open 1st Wireshark capture on the local PC port
2. Open a 2nd Wireshark and capture from remote smart SFP
3. Look in 1st Wireshark with display filter set to “rpcap and udp”, look for field “rpcap frame number” (this will display the RPCAP packets with the RPCAP encapsulation)

permanent link

answered 27 Apr '16, 23:03

Eitan's gravatar image

Eitan
6113
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×248
×59
×17
×1

question asked: 26 Apr '16, 16:46

question was seen: 3,687 times

last updated: 27 Apr '16, 23:03

p​o​w​e​r​e​d by O​S​Q​A