0

I have two wireshark pcap files from the sender and receiver. I am streaming a live video from sender to receiver using different protocols- TCP, UDP, RTMP and RTSP. Is there a way to get packet loss from the two pcap files when a network disconnection occur?

ST94
  • 35
  • 8
  • What do you mean by "packet loss from the two pcap files"? – Malt Jul 10 '18 at 21:32
  • Do you mean the pcap file retrieved at the receiver contains less packets than the one from the sender because of packet losses, and you'd like to compute the diff between the two files? – pchaigno Jul 11 '18 at 08:51
  • @Malt While streaming, I introduce a failure, so that should result in packet loss which would be captured by the Wireshark. I have wireshark running at the sender and receiver, so by comparing these two capture files could give how many packets were lost during failure. I wanted to know if there are ways to get that number. – ST94 Jul 11 '18 at 15:14
  • 1
    @pchaigno Yes, that is what I am trying to know. The difference would give me the number of packets missing or lost during that time of failure. – ST94 Jul 11 '18 at 15:16

2 Answers2

2

Method 1: Count packets

If you know for sure that the receiver didn't receive packets from another sender, you can simply count the number of packets in each capture file to get the number of dropped packets:

$ capinfos file1.pcap | grep "Number of packets:"
Number of packets:   12
$ capinfos file2.pcap | grep "Number of packets:"
Number of packets:   18

Here, I have a 4 packets difference because the capture of file2 was started before file1's.

Method 2: Compare the text dumps

$ tshark -r file1.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file1.txt 
$ tshark -r file2.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file2.txt 
$ diff file1.txt file2.txt
0a1,2
> 172.16.0.67   172.16.0.97 22  56732
> 172.16.0.97   172.16.0.67 56732   22

Here I dump a few field values for each packet that, in my case, are sufficient. You might need to dump different field values. Diffing the two text files reveals that file2.pcap contains 2 more packets.

Method 3: Install a dedicated tool

If you're not against installing a new tool, there are several that can do that for you:

  • Tracediff will print a details for each packet that differs between the two capture file. You can use the following to extract the number of different/missing files:

    $ sudo apt install tracediff
$ tracediff file1.pcap file2.pcap | grep "Capture: Packet Length:" | wc -l
pchaigno
  • 11,313
  • 2
  • 29
  • 54
  • In my capture file other than tcp packets there are also ARP, DHCP, ICMP packets. I would like to know how many data packets were lost. I have tried method 1, and it gives me the number of packets in each pcap file, which is also displayed in wireshark at the bottom right of the window. I also tried Method 3 and it gives me info such as packet length, direction value, header length, ID, source ip, destination ip, seq, ack etc. From which value would I know the number of lost data packets? – ST94 Jul 11 '18 at 18:13
  • In Method 2, what does "0a1,6" mean? And how did you know that file2.pcap contains 2 more packets? – ST94 Jul 11 '18 at 18:20
  • That's the format from diff. See https://unix.stackexchange.com/a/216131/238209 for details. – pchaigno Jul 11 '18 at 18:50
  • Is method 1 not working for you? For method 3, if you run the exact command I gave, it should return the number of lost packets. For method 2, you'll have to add other fields to the output of tshark. – pchaigno Jul 11 '18 at 18:52
  • Method 1 gives the total number of packets in the pcap file. My pcap file has TCP packets as well as ARP, DHCP and ICMP packets when failure occur. So even these packets would be counted in the total. So that number isn't what am looking for. For Method 3, it gives the value of "Packet length" at the end. It does not return the number of lost packets. – ST94 Jul 12 '18 at 17:10
0

To calculate a diff between two pcap files you can use wand's libtrace. It contains the tracediff tool which does exactly what you need.

It would be something like tracediff pcapfile:sender.pcap.gz pcapfile:receiver.pcap.gz

Malt
  • 28,965
  • 9
  • 65
  • 105
  • It gives me info such as packet length, direction value, header length, ID, source ip, destination ip, seq, ack etc. From which value would I know the number of lost data packets? – ST94 Jul 11 '18 at 18:17