Ask Your Question

Chart gaps between IP ID

asked 2019-06-19 15:48:26 +0000

bhilgenkamp gravatar image

I have a UDP stream that increments each packet's IP ID by one. Since this is UDP and I have no way to show packet loss via dup acks or retransmissions I'd like a way to visualize packet loss by seeing gaps between the packets. IE if ip.ids are 5,6,9,10 I could see a loss of 7 packets. Is there any way to chart this in Wireshark?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2019-06-19 16:39:40 +0000

updated 2019-06-19 16:40:05 +0000

No, not really.

You can do this task by different ways. 2 of them I show you.

You can use tshark -> Have a detailed look here

You can use the "File -> Export Packet dissections -> As CSV..." dialog to export the packet pane view to a csv file. After that you can import it into excel and do some sorts or scripting around it....

edit flag offensive delete link more


Looks like the URL for the YouTube link didn't come through properly. Can you post that again?

bhilgenkamp gravatar imagebhilgenkamp ( 2019-06-20 20:59:53 +0000 )edit

I think @Christian_R was linking to my SharkfestUS '19 presentation about using tshark to solve packet challenges (the first part of the video id seems to match).

SYN-bit gravatar imageSYN-bit ( 2019-07-07 08:52:39 +0000 )edit

answered 2019-07-07 09:00:54 +0000

SYN-bit gravatar image

Please be very careful when using as an indicator for packet loss. Not all systems use the same algorithm to create numbers. I (think I) have seen the following patterns over time:

  • one counter for the whole system. IE when other processes are also sending data, then you will have gaps in the numbers for your specific UDP stream
  • one counter per process. In this case your method will work, but are you sure this method is used by all systems that you want to track?
  • random numbers. Your method will not work here obviously, do you have control over the sending side so you can be sure this method is not used?
  • 0x0000 for all packets. Your method will not work here obviously, do you have control over the sending side so you can be sure this method is not used?

Are you sure there is not a sequence number used in the payload of the UDP packets? If there is, you might want to write a Lua dissector for this protocol in which you expose the found sequence number to wireshark to filter on. And you can add some logic to determine if there are gaps and/or out-of-order udp packets.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-06-19 15:48:26 +0000

Seen: 144 times

Last updated: Jul 07 '19