Baseline Configuration
Edit > Preferences > Columns
Add column Title "ID", Type "Custom" & Fields "ip.id"
Add column Title "TCP Seq", Type "Custom" & Fields "tcp.seq"
Edit Time, set Type "UTC time"
Edit > Protocols > TCP
Untick Relative sequence numbers
View > Time Display Format > UTC Date and Time of Day
Quick Starting Points for Identifying Issues
Packet Loss
TCP Lost Segments (gaps in sequence numbers, indication of loss): tcp.analysis.lost_segment
Re-transmits (not necessarily packet loss) : (tcp.analysis.retransmission or tcp.analysis.fast_retransmission) and ip.addr==160.43.172.4
TCP Duplicate ACKs: tcp.analysis.duplicate_ack
TCP Resets: tcp.flags.reset==1 and ip.addr==160.43.172.4
TCP FIN: tcp.flags.fin==1 and ip.addr==160.43.172.4
Alternate syntax:
(ip.addr==10.83.230.68 && ip.addr==10.83.233.40) && (tcp.analysis.retransmission || tcp.analysis.fast_retransmission)
Proper verification of packet loss requires matching up packet captures from each end, re-transmits can be caused by CPU load, out of sequence packets, etc.
Absolute TCP sequence numbers, or packet IDs (for UDP) can be used to match packets at both ends.
DNS
DNS queries with no response:
dns and (dns.flags.response==0) and !dns.response_in
DNS queries that failed:
(!(dns.flags.rcode==0)) and (dns.flags.response==1)
Filtering
To exclude packets:
!(udp.port==3389)
!(ip.addr==10.83.157.11)
Note that != can have unexpected consequences
Decoding RTP Packets
If Wireshark could not auto-detect that UDP packets were RTP ones, you have to apply a display filter "udp and !rtp" and then randomly choose packets in the packet list, right-click them, choose Decode as... & mark them as RTP ones (both directions) until you have no packets left. Then you can remove the display filter and proceed to play back via Telephony > RTP > RTP Streams > Analyze > Play Streams.
