I have two wireshark pcap files from the sender and receiver. I am streaming a live video from sender to receiver using different protocols- TCP, UDP, RTMP and RTSP. Is there a way to get packet loss from the two pcap files when a network disconnection occur?
2 Answers
Method 1: Count packets
If you know for sure that the receiver didn't receive packets from another sender, you can simply count the number of packets in each capture file to get the number of dropped packets:
$ capinfos file1.pcap | grep "Number of packets:"
Number of packets: 12
$ capinfos file2.pcap | grep "Number of packets:"
Number of packets: 18
Here, I have a 4 packets difference because the capture of file2 was started before file1's.
Method 2: Compare the text dumps
$ tshark -r file1.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file1.txt
$ tshark -r file2.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file2.txt
$ diff file1.txt file2.txt
0a1,2
> 172.16.0.67 172.16.0.97 22 56732
> 172.16.0.97 172.16.0.67 56732 22
Here I dump a few field values for each packet that, in my case, are sufficient. You might need to dump different field values. Diffing the two text files reveals that file2.pcap contains 2 more packets.
Method 3: Install a dedicated tool
If you're not against installing a new tool, there are several that can do that for you:
Tracediff will print a details for each packet that differs between the two capture file. You can use the following to extract the number of different/missing files:
$ sudo apt install tracediff $ tracediff file1.pcap file2.pcap | grep "Capture: Packet Length:" | wc -l
To calculate a diff between two pcap files you can use wand's libtrace. It contains the tracediff tool which does exactly what you need.
It would be something like tracediff pcapfile:sender.pcap.gz pcapfile:receiver.pcap.gz