UDP Packet Loss

edit

I often need to troubleshoot packet captures where Wireshark does not have a dissector or proprietary protocol then the trick is count packets.

Try this. Filter by UDP stream. If the stream, started and ended at the same time then the packet count will be the same in all the captures.

Filter by UDP stream and source IP address. If the stream, started and ended at the same time then the packet count will be the same in all the captures.

Filter by UDP stream and destination IP address. If the stream, started and ended at the same time then the packet count will be the same in all the captures.

If the UDP stream, started and end at different times then align all the captures and verify if the count is the same.

Check the IP ID in one direction only and see if they are sequential. That is one pattern to check for packet loss.

Send a response if that doesn't work or you need help on the next step(s).

It depends. If the stream is encapsulated in a RTP over UDP stream it is very easy. Wireshark has some analysis tools in the Telephony:RTP menu

In the attached I took the sample H.265 over RTP file at https://gitlab.com/wireshark/wireshar... and deleted 3 frames. As you can see the RTP Streams tool shows 4 missing (apparently the sample already has a loss). You can also use the more detailed RTP Stream Analysis tool to show which frames are missing.

If you are sending raw UDP without a RTP encapsulation, I would still expect their to be a sequence number in the payload that you can look for missing frames. You could then write some LUA code to a delta between that sequence number and say that in the previous frame (in the same UDP stream). If the delta wasn't one, than you could flag there being a missing frame (or at least it is out of order)