This will limit the capture to only traffic on ports 67 and port 68. Click the 'Options' button and in the Capture Filter section type in 'port 67 or port 68'. Tracediff will print a details for each packet that differs between the two capture file. Under the ' C apture' menu select 'Interfaces' and ensure that only the Ethernet connection that is connected to the desired subnet is selected. To do this, either select a UDP packet and right-click Decode As, or choose Analyze -> Decode As. If you're not against installing a new tool, there are several that can do that for you: Diffing the two text files reveals that file2.pcap contains 2 more packets. You might need to dump different field values. Here I dump a few field values for each packet that, in my case, are sufficient. $ tshark -r file2.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file2.txt These particular ICMP messages indicate that the remote UDP port is closed.
First, proper packets should be filtered (use filter tcp.port 5554). This is how UDP port scan looks like in Wireshark: A good indicator of ongoing UDP port scanning is seeing high number of ICMP packets in our network, namely the ICMP type 3 (Destination unreachable) with code 3 (Port unreachable). Method 2: Compare the text dumps $ tshark -r file1.pcap -Tfields -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport > file1.txt On Wireshark select FileOpen and select the dabber.pcap from /data/dabber/. Here, I have a 4 packets difference because the capture of file2 was started before file1's. $ capinfos file2.pcap | grep "Number of packets:" If you know for sure that the receiver didn't receive packets from another sender, you can simply count the number of packets in each capture file to get the number of dropped packets: $ capinfos file1.pcap | grep "Number of packets:"