This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ESP sequence check for lost packets ?

1

Is there a way to check the correct sequence of ESP packets, looking for lost ones ?

Without knowing any key or encryption algorithm, a basic quality check of an encrypted flow could be to check the esp.sequence field, that should be monotonically increasing within the same flow, identified by the esp.spi field.

My first idea would be to extract the fields at the command line and continue with perl, but a nice feature in wireshark would be to colorize the lost packets as in TCP.

asked 03 Nov '10, 11:09

S%20Peters's gravatar image

S Peters
76229
accept rate: 0%

edited 03 Nov '10, 11:10

This sounds like a good idea to me as well. Not much to it, it seems. I guess I'm going to have to hack something up myself for now.

(02 Dec '13, 15:17) mbs

One Answer:

1

This feature does not yet exist but you can file an enhancement bug report if you wish at https://bugs.wireshark.org/bugzilla/.

Until then, you might want to use tshark to find all esp packets matching a specific SPI and then extract the esp.sequence field. Write the packet number and sequence number to a file that can then be analyzed in Excel or whatever your favorite spreadsheet application happens to be.

For example:

tshark -r esp.pcap -Y esp.spi==0xTBD -T fields -E header=y -e frame.number -e esp.sequence

While the above is probably the best method to use at this time (or the best method I can think of at least), there are some other things you could do in Wireshark, such as:

  • Add the esp.sequence (and possibly esp.spi) field as a custom column. Gaps still might not be very obvious though, but at least you'd be able to see the values more easily and be able to sort the packets by that column.
  • Just to find out if there are any missing packets, you can sort by the esp.sequence column, noting the MINseq and MAXseq values, then use the Advanced I/O Graphs to plot all packets containing the esp.sequence field, choosing Calc: SUM(*) of esp.sequence. Set the Tick interval as large as possible, i.e., 10 min. Finally, click the "Copy" button and paste the results into your spreadsheet. Sum all these values until you have 1 final value, which is basically a sum of all the esp.sequence values. I'll call this total TOTALseq. Next, apply the following formula:

[MAXseq * (MAXseq + 1) - MINseq * (MINseq - 1)] / 2 - TOTALseq

If there are no gaps, then the result will be zero; if you do have gaps, then what's left is the sum of all missing ESP sequence numbers. This won't necessarily tell you which ones are missing (unless you happen to get lucky where only one is missing), but it will at least tell you if there are any missing or not. Unfortunately, this method breaks down if there are any duplicate ESP packets.

answered 03 Dec '13, 13:02

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 03 Dec '13, 13:03

See also to my answer to this question on SuperUser, Wireshark highlight missing sequence number. There I include a method for using your spreadsheet software to help identify gaps that I think is much easier and more reliable than my original answer here.

(06 Apr '17, 09:22) cmaynard ♦♦

For completeness, there has been sequence number analysis for ESP since September 2014, and it is enabled by default.

(06 Apr '17, 09:35) MartinM

Ah, so there is. Thanks for pointing that out. The version of Wireshark I use most of the time due to the proprietary dissectors we need does not have that option. Updating our dissectors has been on my TODO list so we can finally make use of all of Wireshark's shiny new features again. For anyone else, just use the latest version of Wireshark then.

(06 Apr '17, 09:42) cmaynard ♦♦