How to find out where exactly the packet is being lost

It’s a pretty common occurrence when you have 2 hosts pinging each other and some packets are being lost. And sometimes you need to make sure, that the routing device in between of these host really receives a request, forwards this request to the target, receives the reply and forwards it back to the request’s initiator. If you’re lucky enough to run tcpdump on this intermediate device (if it runs some Unix-like OS, e.g. Linux or FreeBSD), you can wrap it to the script that will analyze each transit packet to find out what exactly is going wrong.

If you watch the tcpdump output with the naked eye, you’ll see the following pattern:

…which repeats…

…and repeats…

And if you look carefully to this pattern, you’ll see that there are 4 obvious phases.

A request came:

The request gone:

The reply came:

The reply gone:

So you can sit and watch the packets being received and transmitted, but it can be really boring, so you can run the following script:

It reads the output of tcpdump and prints an alert message when the usual pattern gets broken. When some request or some reply is absent or the seq-number is unexpected, it will print something like that:

The latest version is available at GitHub:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.