Did you try using Wireshark's "Analyze -> Expert Information"? (You can also view it by clicking on the little red circle in the lower-left corner of the status bar, although the color of the circle will vary depending on the highest error level present in the capture file.)
Edit: Expanded my original answer with more information below ...
You can also view the RTP statistics under "Telephony -> RTP -> RTP Streams", which lists 23 lost packets. "Telephony -> RTP -> Stream Analysis" also provides potentially useful information.
Another potentially useful way to view the data is to use the I/O Graph. For example, "Statistics -> I/O Graph". Disable anything being plotted and add a new one, something like this:
Enabled Graph Name Display Filter Color Style Y Axis Y Field SMA Period
X RTP Seq rtp.seq X Line MIN(Y Field) rtp.seq None
You should see a rather straight diagonal line starting from the lower-left corner and ending at the top-right corner. Now change the Interval to 10ms and you'll see some sequence number gaps - for me, 3 gaps are easily observed, which are probably good indicators of where packet loss has occurred. For example, around 12:16:38, there's a gap and it can be seen that the RTP sequence # of 11634 is missing, which should be between Frames 10271 and 10272.
But if you want to more easily see where all the sequence number gaps are, then you probably want to export the Wireshark data into a spreadsheet program, such as Excel. For example:
- Right-click on the RTP sequence number field of any packet and choose, "Apply as Column"
- Export the file to CSV: File -> Export Packet Dissections -> As CSV...
- Open the .csv file with your speadsheet program
- Add a column whose contents is the difference between the RTP sequence number in the previous row and the RTP sequence number in the current row. For example, if the RTP sequence number is in column G, then the cell will contain
=G2-G1-1. If you select the entire column first and use "Ctrl-Enter" instead of just "Enter" when you add the formula, the formula will be quickly applied to all rows. (You might have to clean up some of the extraneous data past the last valid row.)
- Fix the first row of the new column by replacing the undefined value with a heading, such as "RTP Seq # diff".
- Any value other than 0 represents a gap in RTP sequence numbers.
- To more easily find all gaps, select the entire table and filter on this new column for all values other than 0 You should end up with a relatively small table that looks something like this:
No. AbsTime Time DeltaT Proto Length RTP Seq # RTP Seq # Diff
3405 16:33.7 2.199559 0.001005 MPEG TS 1370 4748 3
6505 16:35.7 4.203210 0.000139 MPEG TS 1370 7851 1
6631 16:35.8 4.287576 0.001001 MPEG TS 1370 7978 1
8781 16:37.2 5.728671 0.000102 MPEG TS 1370 10129 1
8855 16:37.3 5.781427 0.000254 MPEG TS 1370 10204 1
9476 16:37.7 6.213582 0.000816 MPEG TS 1370 10826 1
9728 16:37.9 6.389564 0.000634 MPEG TS 1370 11079 10
9981 16:38.1 6.572582 0.000978 MPEG TS 1370 11342 1
10271 16:38.3 6.774569 0.000796 MPEG TS 1370 11633 1
10311 16:38.3 6.803568 0.000995 MPEG TS 1370 11674 1
10979 16:38.8 7.268695 0.000068 MPEG TS 1370 12343 1
12361 16:39.7 8.186596 0.000177 MPEG TS 1370 13726 1
This should tell you where all the gaps are and how many packets were lost, which is just a sum of the last column, or 23, which exactly matches what Wireshark reported in the RTP analysis as lost packets.
Note: For anyone not familiar with decoding traffic on non-standard ports, in order to have Wireshark decode the UDP payload as RPT, you must use the "Decode As" feature as @nnovich-OK alluded to above. To do this, either select a UDP packet and right-click "Decode As", or choose "Analyze -> Decode As... -> + -> " and then set UDP port 4000 to be decoded as RTP by selecting RTP under the Current column.
