Wireshark mailing list archives
Re: recv/drop numbers in pcapng files
From: Anders Broman <a.broman () bredband net>
Date: Wed, 25 Apr 2012 20:50:41 +0200
Michael Tuexen skrev 2012-04-25 20:08:
Dear all, I'm trying to fix https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7191 In a pcapng file, we report according to http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionisb isb_ifrecv: Number of packets received from the physical interface starting from the beginning of the capture. isb_ifdrop: Number of packets dropped by the interface due to lack of resources starting from the beginning of the capture. However, we have no chance to report the packets dumpcap dropped. This yields to the following exmaple: [mba:~/Documents/wireshark/trunk] tuexen% ./dumpcap -i lo0 -i en0 -w test.pcapng Capturing on lo0 and en0 File: test.pcapng Packets captured: 98711 Packets received/dropped on interface lo0: 98603/16405 (85.7%) Packets received/dropped on interface en0: 108/0 (100.0%) This means: 98711 packets have been written to the test.pcapng file. > From these 98711 packets, 98603 where received on lo0, 108 on en0. All packets of the en0 interface have been written to the file. 16405 packets which where on the lo0 interface have been dropped. So 98603+16405 packets have been seen on lo0. This is 115008. What gets written to the Interface Statistics Block: isb_ifrecv 115008, isb_ifdrop 102. This means: 115008 packets where received by the libpcap, 102 have been dropped by the libpcap, and 16303 have been dropped by dumpcap. How should we fix this? Include the packets dropped by dumpcap in isb_ifdrop (somewhat violating the spec)? Or add a new option to the ISB where we can provide the number of packets dropped by dumpcap? Any idea welcome?
Could we useisb_usrdeliv 8 8 Number of packets delivered to the user starting from the beginning of the capture. The value contained in this field can be different from the value 'isb_filteraccept - isb_osdrop' because some packets could still lay in the OS buffers when the capture ended.
To compute the packets droped by dumpcap? /Anders
Best regards Michael ___________________________________________________________________________ Sent via: Wireshark-dev mailing list<wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- recv/drop numbers in pcapng files Michael Tuexen (Apr 25)
- Re: recv/drop numbers in pcapng files Anders Broman (Apr 25)
- Re: recv/drop numbers in pcapng files Michael Tuexen (Apr 25)
- Re: recv/drop numbers in pcapng files Guy Harris (Apr 25)
- Re: recv/drop numbers in pcapng files Michael Tuexen (Apr 25)
- Re: recv/drop numbers in pcapng files Guy Harris (Apr 25)
- Re: recv/drop numbers in pcapng files Michael Tuexen (Apr 25)
- Re: recv/drop numbers in pcapng files Guy Harris (Apr 25)
- Re: recv/drop numbers in pcapng files Michael Tuexen (Apr 25)
- Re: recv/drop numbers in pcapng files Michael Tuexen (Apr 25)
- Re: recv/drop numbers in pcapng files Anders Broman (Apr 25)