Wireshark (Version 3.0.0 (v3.0.0-0-g937e33de) ) always shows DSCP value as CS0 for TCP and CS7 for UDP

asked 2019-06-04 04:39:46 +0000

lalit gravatar image

updated 2019-06-04 04:45:01 +0000

Unlike Microsoft network monitor, Wireshark (Version 3.0.0 (v3.0.0-0-g937e33de) ) always shows DSCP value as CS0 for TCP and CS7 for UDP irrespective of whatever actual value is set.

Wireshark 2.x version & Microsoft network monitor shows the values properly.

How do I see the correct DSCP value using latest Wireshark?

edit retag flag offensive close merge delete


I don't see this. Can you share a capture file showing this? Any public file sharing site would do.

Jaap gravatar imageJaap ( 2019-06-04 06:12:35 +0000 )edit

I m not able to upload screen shots as it needs 60 points.

I am using windows pro 1809 machine. Observed on multiple machines.

lalit gravatar imagelalit ( 2019-06-04 07:01:31 +0000 )edit

I m not able to upload screen shots as it needs 60 points.

Jaap said "share a capture file", not "share a screenshot of what Wireshark displays for a capture file", and captures can be uploaded to sharing sites such as Dropbox/Google Drive/etc. to make it available.

Or you can report this as a bug on the Wireshark Bugzilla and attach a capture file to the bug report.

Guy Harris gravatar imageGuy Harris ( 2019-06-04 08:04:02 +0000 )edit

Please find here the UDP stream. https://drive.google.com/open?id=1cgd...

lalit gravatar imagelalit ( 2019-06-04 09:04:11 +0000 )edit

This shows UDP packets with both CS7 and EF PHB for me.

Jaap gravatar imageJaap ( 2019-06-04 12:20:18 +0000 )edit

I am referring to the outgoing packets with CS7 markings.

lalit gravatar imagelalit ( 2019-06-06 08:59:23 +0000 )edit

You seem to know what 'incoming' and 'outgoing' means, we have no such reference. From your remark I deduce that the interface you capture on has IP address, correct?

The capture indeed shows for all the UDP packets an DSCP of 56 (CS7). This is the packet contents as presented to Wireshark by the capture driver. What capture driver do you use? Did you switch to Npcap, or did you stay with WinPcap? If you switched, can you go back to WinPcap (keeping Wireshark as is) and see if that makes a difference? Or what happens is you update Npcap to version 0.995?

Jaap gravatar imageJaap ( 2019-06-06 11:14:11 +0000 )edit

I am using Npcap 0.99-r9. I will check with WinPcap and let you know.

The out going UDP traffic marking are shown always CS7(56) by wireshark irrespective of the value I am marking. For same packets, DSCP values are properly shown by microsoft network monitor.

lalit gravatar imagelalit ( 2019-06-06 13:14:03 +0000 )edit

Even with winPCap, wireshark is not showing correct dscp values.

lalit gravatar imagelalit ( 2019-06-06 13:53:18 +0000 )edit

Well, "not showing the correct dscp values" might not be the correct statement here. I've loaded your capture file in both Wireshark 2.4 (v2.4.16rc0-19-g2cd40589d8) and Wireshark 2.6 (v2.6.10rc0-22-g8e4ce399) and both give the same result for the UDP packets from to the DS field has value 0xe0, therefore the DSCP field is CS7.

So the question remains, what did you see previously? Was that the exact same situation? Can you still replicate that previous result? Otherwise, can you capture 'on the wire' instead of on the interface. That means trough some intermediate capture point, e.g., a span port.

Jaap gravatar imageJaap ( 2019-06-06 14:58:19 +0000 )edit

Please refer https://drive.google.com/open?id=1qrQ... (may help to compare 2.4 and 2.6+ version captures) capture using Wireshare version 2.4 from same machine. In 2.4 version the values matches to what I am setting but with 2.6+version the outgoing udp packets are always shown marked with CS7 and TCP with CS0.

lalit gravatar imagelalit ( 2019-06-12 11:59:50 +0000 )edit