Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-07-07 09:00:54 +0000

SYN-bit gravatar image

Please be very careful when using ip.id as an indicator for packet loss. Not all systems use the same algorithm to create ip.id numbers. I (think I) have seen the following patterns over time:

  • one counter for the whole system. IE when other processes are also sending data, then you will have gaps in the ip.id numbers for your specific UDP stream
  • one counter per process. In this case your method will work, but are you sure this method is used by all systems that you want to track?
  • random ip.id numbers. Your method will not work here obviously, do you have control over the sending side so you can be sure this method is not used?
  • 0x0000 for all packets. Your method will not work here obviously, do you have control over the sending side so you can be sure this method is not used?

Are you sure there is not a sequence number used in the payload of the UDP packets? If there is, you might want to write a Lua dissector for this protocol in which you expose the found sequence number to wireshark to filter on. And you can add some logic to determine if there are gaps and/or out-of-order udp packets.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2