Wireshark (Version 3.0.0 (v3.0.0-0-g937e33de) ) always shows DSCP value as CS0 for TCP and CS7 for UDP

asked 2019-06-04 04:39:46 +0000

lalit gravatar image

updated 2019-06-04 04:45:01 +0000

Unlike Microsoft network monitor, Wireshark (Version 3.0.0 (v3.0.0-0-g937e33de) ) always shows DSCP value as CS0 for TCP and CS7 for UDP irrespective of whatever actual value is set.

Wireshark 2.x version & Microsoft network monitor shows the values properly.

How do I see the correct DSCP value using latest Wireshark?

edit retag flag offensive close merge delete


I don't see this. Can you share a capture file showing this? Any public file sharing site would do.

Jaap gravatar imageJaap ( 2019-06-04 06:12:35 +0000 )edit

I m not able to upload screen shots as it needs 60 points.

I am using windows pro 1809 machine. Observed on multiple machines.

lalit gravatar imagelalit ( 2019-06-04 07:01:31 +0000 )edit

I m not able to upload screen shots as it needs 60 points.

Jaap said "share a capture file", not "share a screenshot of what Wireshark displays for a capture file", and captures can be uploaded to sharing sites such as Dropbox/Google Drive/etc. to make it available.

Or you can report this as a bug on the Wireshark Bugzilla and attach a capture file to the bug report.

Guy Harris gravatar imageGuy Harris ( 2019-06-04 08:04:02 +0000 )edit

Please find here the UDP stream. https://drive.google.com/open?id=1cgd...

lalit gravatar imagelalit ( 2019-06-04 09:04:11 +0000 )edit

This shows UDP packets with both CS7 and EF PHB for me.

Jaap gravatar imageJaap ( 2019-06-04 12:20:18 +0000 )edit

I am referring to the outgoing packets with CS7 markings.

lalit gravatar imagelalit ( 2019-06-06 08:59:23 +0000 )edit

You seem to know what 'incoming' and 'outgoing' means, we have no such reference. From your remark I deduce that the interface you capture on has IP address, correct?

The capture indeed shows for all the UDP packets an DSCP of 56 (CS7). This is the packet contents as presented to Wireshark by the capture driver. What capture driver do you use? Did you switch to Npcap, or did you stay with WinPcap? If you switched, can you go back to WinPcap (keeping Wireshark as is) and see if that makes a difference? Or what happens is you update Npcap to version 0.995?

Jaap gravatar imageJaap ( 2019-06-06 11:14:11 +0000 )edit

I am using Npcap 0.99-r9. I will check with WinPcap and let you know.

The out going UDP traffic marking are shown always CS7(56) by wireshark irrespective of the value I am marking. For same packets, DSCP values are properly shown by microsoft network monitor.

lalit gravatar imagelalit ( 2019-06-06 13:14:03 +0000 )edit

Even with winPCap, wireshark is not showing correct dscp values.

lalit gravatar imagelalit ( 2019-06-06 13:53:18 +0000 )edit