# Comparsion of captured traffic

Hello, I'm facing a problem that I can't figure out.

My goal: Compare pcaps and measure the loss in capture.
Scenario: I've sent data (1,5 GB file) from laptop A via WiFi to shared directory on laptop B. On laptop A I've ran Wireshark capture on sending wlan adapter (in promiscuose mode). Between these laptops I have a sniffer (router with wlan in monitor mode) that captures the WiFi traffic in monitor mode = raw 802.11 frames. After file transfer was done I stop capturing on both devices. Now, what I want to do is to compare these two pcap files a measure the frame/packet/data loss = If I captured all data with sniffer and how many of them are missing. Problem is, that pcap from laptop A contains packets with TCP protocols and other.. but the pcap from sniffer contains raw frames (no protocols). I captured handshake and I know my WiFi password so I'm able to decrypt some traffic to see packet and protocols like tcp.

So my question is, how can I compare/measure caputred traffic (data transfer) from these two pcap files? Is it possible to folow sequence numbers and compare them?

Pcap file from laptop A have 1,7 GB and file from sniffer have 1,3 GB .So when transfered file have 1,5 GB I assume that I did not captured all traffic, but I need to now how many frames/packets I missed.

edit retag close merge delete

Assuming no segmentation offload on the sending side to munge things up, I would use ip.id field (with any luck it is incremented) to compare wired and wireless frames in the two captures (assuming decrypted wireless, of course).

>>Problem is, that pcap from laptop A contains packets with TCP protocols and other..


Yes, of course, there is lots of other data so you need to filter. Find the data traffic that corresponds to the file sharing utility you used and filter on that. Totally depends on how you shared the file as to what filter to use - probably obvious from the capture anyway - a LOT of full size frames going in one direction... strong clue.

1.5GB is a lot of data to look through; you might want some type of automation and/or graphical analysis to assist. I would suggest practicing with a smaller file until your method is proven.

( 2020-05-20 18:44:27 +0000 )edit

Thanks for reply. I filtred traffic to see just laptop A source IP and laptop B destiation IP. Thanks for ip.id field tip but this field has 16b so it starts to repeat after number 65535 is reached. What about sequence number (tcp.seq_raw) that looks more unique? From sniffer's pcap I can see a lot of "TCP ACked unseen segment". Does that mean that it wasn't able to capture some packets?

( 2020-05-20 21:08:29 +0000 )edit