Wireshark-users: Re: [Wireshark-users] Fwd: sequence number and packet id

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 12 Apr 2008 15:42:38 -0700
Fabiana moreno wrote:
Thanks again...so this actually answers what i meant in my question....the sequence number is unique within the capture...so it�s like my identifier...

The sequence number is 16 bits, so it can only be unique within the RTP session if fewer than 65536 packets are sent. You should look for "gaps" in the sequence number, such as going from sequence number 60410 to sequence number 60412 or later.

Presumably the sequence number will "wrap around", so it will go from 65535 to 0. Any "lost packet" analysis you do must take that into account. The best way to do that would probably be to, for each RTP packet other than the first packet, subtract from it the sequence number of the previous packet, and take the result modulo 65536; if the result is something other than 1, you have missing packets.

If, for example, you see a packet with a sequence number of 65535 and then a packet with a sequence number of 2, the difference will be 2 - 65535, or -65533. -65533, modulo 65536, would be 65536-65533, or 3.

In C, with GLib, the way to do that would be

	guint16 previous_packet_seq, current_packet_seq, seq_diff;

	seq_diff = current_packet_seq - previous_packet_seq;

where "previous_packet_seq" is the sequence number of the previous packet and "current_packet_seq" is the sequence number of the current packet; in that case, "seq_diff" will be set to the difference between the sequence numbers of the packet, modulo 65536.