Good point. The first capture stopped a few seconds before the second so the flow just kept going. 

Hello @wwwlstr0707 

The packet count discrepancy between the ingress and egress captures could be attributed to several factors related to GRE tunneling and UDP stream behavior...

One common reason is fragmentation. When UDP packets are encapsulated within a GRE tunnel, the added headers may exceed the MTU of the underlying network, causing the encapsulated packets to be fragmented into smaller pieces. This can lead to an increased packet count on the egress side compared to the ingress, where packets were still unfragmented.

--To confirm this, you can analyze the egress capture for IP fragmentation headers and compare the total payload sizes in both captures to ensure they match.

Another potential issue is duplicate packets. Network devices might introduce duplicate packets during retransmissions or as a result of misconfigurations in the GRE tunnel. These duplicates would increase the packet count on the egress side. Examining timestamps, sequence numbers, and inner IP identification fields in the egress capture can help identify duplicates...

Similarly, packet loss or missed packets in the ingress capture could create a mismatch. Hardware or software limitations during the capture process might lead to dropped packets, making it appear as though fewer packets were sent than received.

GRE tunnel processing itself could also be a factor. Certain implementations might modify the encapsulated packets, such as splitting or combining payloads, or introducing control traffic into the tunnel. This could result in a different number of packets on the egress side. Additionally, packet reordering within the tunnel could make it challenging to match packets between captures.

So, checking timestamps and reassembling the packet sequence can help determine whether reordering is contributing to the discrepancy.

Finally, network asymmetry or capture timing could play a role. If the ingress and egress captures are not perfectly synchronized, or if traffic takes an asymmetric path, some packets might bypass the capture points, leading to mismatched counts. Ensuring your captures cover the entire path and are accurately synchronized is critical. By investigating these factors—fragmentation, duplication, packet loss, GRE processing, and network asymmetry—you can identify the root cause of the packet count difference in your UDP stream analysis.

This is  VoIP stream ?

The hops can change Mac add IP header but not change the stream id. 

Also why you not capture traffic in each hops' capture traffic end to end not give you anything.

MHM