0
votes

I have two wireshark pcap files from the sender and receiver. I am streaming a live video from sender to receiver using different protocols- TCP, UDP, RTMP and RTSP. Is there a way to get packet loss from the two pcap files when a network disconnection occur?

2
What do you mean by "packet loss from the two pcap files"?Malt
Do you mean the pcap file retrieved at the receiver contains less packets than the one from the sender because of packet losses, and you'd like to compute the diff between the two files?pchaigno
@Malt While streaming, I introduce a failure, so that should result in packet loss which would be captured by the Wireshark. I have wireshark running at the sender and receiver, so by comparing these two capture files could give how many packets were lost during failure. I wanted to know if there are ways to get that number.ST94
@pchaigno Yes, that is what I am trying to know. The difference would give me the number of packets missing or lost during that time of failure.ST94

2 Answers

1
votes

Method 1: Count packets

If you know for sure that the receiver didn't receive packets from another sender, you can simply count the number of packets in each capture file to get the number of dropped packets:

$ capinfos file1.pcap | grep "Number of packets:"
Number of packets:   12
$ capinfos file2.pcap | grep "Number of packets:"
Number of packets:   18

Here, I have a 4 packets difference because the capture of file2 was started before file1's.


Method 2: Compare the text dumps

$ tshark -r file1.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file1.txt 
$ tshark -r file2.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file2.txt 
$ diff file1.txt file2.txt
0a1,2
> 172.16.0.67   172.16.0.97 22  56732
> 172.16.0.97   172.16.0.67 56732   22

Here I dump a few field values for each packet that, in my case, are sufficient. You might need to dump different field values. Diffing the two text files reveals that file2.pcap contains 2 more packets.


Method 3: Install a dedicated tool

If you're not against installing a new tool, there are several that can do that for you:

  • Tracediff will print a details for each packet that differs between the two capture file. You can use the following to extract the number of different/missing files:

    $ sudo apt install tracediff
    $ tracediff file1.pcap file2.pcap | grep "Capture: Packet Length:" | wc -l
    
0
votes

To calculate a diff between two pcap files you can use wand's libtrace. It contains the tracediff tool which does exactly what you need.

It would be something like tracediff pcapfile:sender.pcap.gz pcapfile:receiver.pcap.gz