How To Find Dropped Packets with Wireshark
A slow, lagging connection can indicate packets getting lost in transmission. While a certain level of packet loss is acceptable in some scenarios, it can seriously disrupt user experience in others, especially when streaming media. In addition, the system may drop packets altogether to compensate for the latency, and data may be lost in the process.
Here’s how to determine if you’re dealing with dropped or lost packets using Wireshark so that you can diagnose the issue promptly.
Dropped Packets? Let’s Pick Them Up
When users complain of slow service or poor data transmission, it’s logical to assume that packet loss is to blame. Not all lost packets are dropped, but a high drop rate can still indicate various issues. Here’s the process of checking whether you have dropped packets in Wireshark.
- Open the Wireshark desktop app.
- Make sure you’re in Capture Mode.
- Find the Status Bar at the bottom of the window.
You’ll see some statistics about the packets you’ve captured here. The number next to “Dropped” will indicate if any packets were dropped. In some versions, the “Dropped” counter will only appear if Wireshark didn’t capture all packets.
If you’re certain some packets were dropped, but the status bar isn’t helping, find your dropped packets stats this way:
- Click “Statistics” in the menu bar.
- Select “Capture File Properties.” A new window will open.
- Under “Interfaces,” you’ll see “Dropped packets.” The number underneath it will tell you how many packets weren’t captured.
Even if Wireshark doesn’t capture all packets, it doesn’t mean they weren’t transmitted. The program might simply fail to keep up with a fast stream. Nevertheless, it might still acknowledge packets that weren’t captured with an ACK packet since these are smaller packets that are easier to capture. Therefore, you can often identify dropped packets by searching for ACKs in the info column. The ACK tells you that the data was transmitted successfully despite the missing packet.
Investigating Lost Packets
Uncaptured packets don’t equal lost packets. While packets Wireshark didn’t capture may still arrive at their destination, lost packets fail to do so. Instead, they are usually retransmitted, and are only dropped in the worst-case scenario. To investigate lost packets in a TCP segment, you’ll need to take a closer look at the info column in your Capture screen.
- Pick a conversation you want to investigate and apply it as a filter. This isn’t mandatory but will help you get a better overview.
- Select any of the packets.
- Click “Internet Protocol Version 4” In the Details section.
- Find the Identification Number and right-click it then Press “Apply it as a column.”
Now, you can see the sequential identification number of each transmission. Look through the numbers to find any discrepancy. Remember that in TCP, lost packets may be retransmitted later, so even if a transmission is missing from its place, it might still be there further down. You can look for it using its identification number.
Whenever a packet fails to transfer, you’ll see a “Previous segment not captured” message in the following line’s Info column. You can also look for lost packets across all conversations by filtering them for this error message. Type “tcp.analysis.lost_segment” in the filter bar and hit Enter. You can also combine this with IP address or conversation filters by typing “and” between the two filters to get a more precise result. Again, you can search for the lost packets after determining their identification numbers.
As mentioned, TCP allows lost segments to be retransmitted later. You can use the “tcp.analysis.retransmission” filter to find your retransmissions. Searching for retransmitted packets can sometimes be more productive than looking for lost segments, as lost segments may include more than one packet while retransmissions are individual packets.
Track Down Lost Packets With Wireshark
Determining whether a packet was lost or dropped by Wireshark isn’t always straightforward. It’s usually not enough to look at one metric alone, but you must consider several factors. Dropped packets often arrive at their destination unscathed, while many lost packets may lead to a poor user experience.