Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Question about filtering

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 5 Dec 2011 10:11:39 +0100
And then in the graph, click on the point where the communication drops one-side and the corresponding packet will be selected in the packet-list. 

You can also do it with filtering and searching. First determine which side stops communicating. Now apply the filter "ip.src="" In the beginning of the trace, check the delta time between the frames, this should be a rather constant value. Now open "Edit -> Find Packet" and do a search based on the display filter "frame.time_delta_displayed > X" where X is just a little bit bigger than the interval at which the RTP frames were sent.

Cheers,
Sake


On 5 dec 2011, at 08:04, Boonie wrote:

Try this:
 
Go to Statistics > IO Graphs
 
Make two filters like : ip.src == x.x.x.x 
And ip.dst == x.x.x.x
 
Regards,
 
Dave
 
----- Original Message -----
From: FS
Sent: Monday, December 05, 2011 5:22 AM
Subject: [Wireshark-users] Question about filtering

Greetings!

I'm investigating audio-loss for a VoIP implementation. When I listen to the RTP stream, I can see that at a certain point in the conversation one party starts to "not hear" the other side. In other words, one-way audio muting is happening. 

My question is how do I correlate that particular muting which I can deduce (from one side in question repeating their hellos again and again) in the stream to a packet-stream in wireshark? So how do I know the point where the packets start to get lost in the conversation from the side that muted? (It's a 100 meg capture)

One way I can think of is to go through the capture packet-by-packet and see where only packets from one side start showing up in the capture, but is there another more elegant way to do this? Can I write a filter in such a way that it finds the packets coming only from one side in succession whereas it should be a to-and-fro that should be reported? 

Hoping that I asked the question clearly. If not, please let me know if more information is needed and/or you know the hidden trick that I seem to be missing :-)

Thanks,
Basti Ji



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe