Analyze Packet Loss in Tshark

Introduction

In this lab, you will learn to analyze TCP packet loss using Wireshark's command-line tool Tshark. You'll practice capturing network traffic, identifying retransmissions, and interpreting loss statistics through practical terminal commands.

The exercises will guide you through detecting packet loss patterns and understanding network performance metrics. You'll gain hands-on experience with both normal transmissions and simulated loss scenarios to troubleshoot real-world TCP connection issues.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/capture_filters("Capture Filters") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/packet_capture -.-> lab-548912{{"Analyze Packet Loss in Tshark"}} wireshark/display_filters -.-> lab-548912{{"Analyze Packet Loss in Tshark"}} wireshark/capture_filters -.-> lab-548912{{"Analyze Packet Loss in Tshark"}} wireshark/packet_analysis -.-> lab-548912{{"Analyze Packet Loss in Tshark"}} wireshark/commandline_usage -.-> lab-548912{{"Analyze Packet Loss in Tshark"}} end

Capture TCP with -f "tcp"

In this step, you will learn how to capture TCP traffic using Wireshark's capture filter option -f "tcp". TCP (Transmission Control Protocol) is one of the core protocols of the Internet, responsible for reliable data delivery. This filter ensures only TCP packets are captured, which is particularly useful when you want to focus on TCP-specific behaviors like connection establishment (three-way handshake), retransmissions, and flow control without being distracted by other network traffic.

First, open a terminal in your LabEx VM by clicking on the terminal icon in the Xfce desktop or using the shortcut Ctrl+Alt+T. The terminal is where you'll execute all commands for this network analysis.
Navigate to the default working directory where we'll store our capture files:
```
cd ~/project
```
This directory is created specifically for your lab work, keeping your files organized and separate from system files.
Start capturing TCP packets by running this command:
```
sudo tshark -f "tcp" -w tcp_capture.pcap
```
Let's break down what each part does:
- sudo gives you administrator privileges needed for packet capture
- tshark is the command-line version of Wireshark
- -f "tcp" tells tshark to only capture TCP packets
- -w tcp_capture.pcap saves the captured packets to a file named tcp_capture.pcap
While tshark is running, open another terminal tab/window (Ctrl+Shift+T) and generate some TCP traffic. We'll use curl to make a simple web request:
```
curl -I https://www.labex.io
```
The -I flag tells curl to only fetch the HTTP headers, which generates just enough traffic for our analysis without downloading unnecessary data.
After waiting about 5-10 seconds to capture sufficient packets, stop the capture by pressing Ctrl+C in the terminal where tshark is running. You should see output similar to:
```
Capturing on 'eth1'
10 packets captured
```
This confirms how many TCP packets were captured during your session.
Verify your capture file was created successfully by listing files in the directory:
```
ls -lh tcp_capture.pcap
```
The -lh options show the file size in human-readable format (like KB or MB) along with other details. This helps confirm your capture was saved properly before moving to the next step.

Check Retransmissions with -Y "tcp.analysis.retransmission"

In this step, we'll examine TCP retransmissions which occur when the sender doesn't receive acknowledgment for sent packets and needs to resend them. This is a crucial network troubleshooting technique since frequent retransmissions often indicate network congestion, packet loss, or other connectivity issues.

Before we begin, let's understand what we're looking for:

A retransmission happens when TCP doesn't receive an ACK (acknowledgment) within expected time
Wireshark/tshark can identify these using the special filter "tcp.analysis.retransmission"
We'll first check an existing capture, then create a new one with simulated network issues

First, ensure you're in the project directory where our capture files are stored:
```
cd ~/project
```
Let's analyze the capture file we created earlier for any retransmissions. The command breaks down as:
- -r reads from a saved capture file
- -Y applies a display filter to show only retransmissions
```
tshark -r tcp_capture.pcap -Y "tcp.analysis.retransmission"
```
If your network connection was stable during the first capture, you'll likely see:
```
0 packets captured
```
This is normal and indicates no packets needed retransmission during that capture period.
To better understand retransmissions, we'll now create a new capture while intentionally causing network congestion. Open two terminal windows:

In the first terminal, start capturing TCP traffic:
```
sudo tshark -f "tcp" -w retransmission_capture.pcap
```
In the second terminal, run a slow download that may trigger retransmissions:
```
curl --limit-rate 10k https://www.labex.io
```
After a few seconds, stop both processes with Ctrl+C
Now examine the new capture file for retransmissions:
```
tshark -r retransmission_capture.pcap -Y "tcp.analysis.retransmission"
```
This time you should see retransmitted packets listed, showing sequence numbers and timing details that help diagnose network performance issues.

Summarize Loss Stats with -z tcp,tree

In this step, you'll learn how to use Wireshark's powerful statistics feature with the -z tcp,tree option. This command helps you analyze TCP conversations and identify packet loss patterns by providing a structured overview of all TCP streams in your captured data.

Before starting, let's understand what TCP conversation statistics show:

The tree view displays communication between pairs of hosts
It counts frames (packets) and bytes transferred in each direction
Helps identify unbalanced traffic which may indicate problems

First, ensure you're in the project directory where your capture files are stored:
```
cd ~/project
```
Now let's analyze the basic TCP statistics from our initial capture. This command reads the capture file and generates a conversation tree:
```
tshark -r tcp_capture.pcap -z tcp,tree
```

The output will show a structured table of all TCP conversations. Pay attention to these columns:

<- shows traffic coming to your machine
-> shows traffic going out from your machine
Total summarizes both directions

======================================================
TCP Conversations
Filter:<No Filter>
|       <-      | |       ->      | |     Total     |
| Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
======================================================

Now let's specifically examine the retransmission capture. Retransmissions occur when packets are lost and need to be resent:
```
tshark -r retransmission_capture.pcap -z tcp,tree
```
Look for conversations where the frame counts are significantly higher than others - this often indicates retransmission issues.
For the most precise analysis, we can combine this with our previous retransmission filter. This shows only retransmitted packets in the conversation tree:
```
tshark -r retransmission_capture.pcap -Y "tcp.analysis.retransmission" -z tcp,tree
```
This helps pinpoint exactly which conversations are experiencing packet loss.

Quiet Output with -q

In this step, we'll explore how to use Wireshark's -q option to simplify your packet analysis. When working with large network captures, you often don't need to see every single packet - you just want the important statistics. The -q (quiet) option helps by hiding the detailed packet listings and showing only the summary data.

First, let's navigate to our working directory where the capture files are stored:
```
cd ~/project
```
Now we'll analyze our TCP capture file in quiet mode. This command reads the file but only shows the TCP conversation statistics:
```
tshark -r tcp_capture.pcap -q -z tcp,tree
```
To understand what the -q option does, let's run the same command without it. Notice how this version shows all the individual packets before the statistics:
```
tshark -r tcp_capture.pcap -z tcp,tree
```
We can combine the quiet option with our previous retransmission filter. This gives us a clean view of just the retransmission statistics:
```
tshark -r retransmission_capture.pcap -Y "tcp.analysis.retransmission" -q -z tcp,tree
```

The output format will look like this, showing only the conversation statistics without packet details:

======================================================
TCP Conversations
Filter:tcp.analysis.retransmission
|       <-      | |       ->      | |     Total     |
| Frames  Bytes | | Frames  Bytes | | Frames  Bytes |
======================================================

Summary

In this lab, you have learned to analyze TCP packet loss using Tshark through practical network troubleshooting techniques. You captured TCP traffic with specific filters, identified retransmissions, and generated connection statistics to assess network performance.

The exercises demonstrated how to use Tshark's advanced features like -z tcp,tree for comprehensive TCP stream analysis and -q for efficient statistical reporting. These skills enable you to quickly diagnose and troubleshoot packet loss issues in real-world network environments.