what I witnessed during live capture isn't what is shown by the capture files

[Larry Dieterich <macworks () dcn org>]

Hi 

This is my first post to this list, and I'm also new to Wireshark.

I am using Wireshark version 1.4.2 on Darwin 10.6.0 Mac OS 10.6.6. Libpcap version 1.1.1 with libz 1.2.5

I have a real-world problem that I'm trying to solve and I have a mystery on my hands. I've searched google and the 
archives to no avail. I'm hoping someone here can offer some insight.

Earlier today, I was running a capture on a Mac laptop using a USB to ethernet adapter connected to a managed 3Com 
switch. I was mirroring the traffic from the built-in ethernet on a computer of interest, to my monitoring port.

I had built a set of display filters during the running capture by right-clicking to exclude unwanted traffic so that I 
could focus on the traffic of interest. I was watching the flow and making paper notes about what I saw. It seemed to 
make sense.

I was also running a ring buffer capture of the stream to write the capture to sequentially numbered 20MB files on the 
local drive.

Suddenly, the content of the displayed packets changed radically. No more color tags on the packets, lots of packets 
reported as mal-formed. Very little TCP traffic. Lots of protocols labeled differently from what I had been seeing. 
Labels including; Ethernet II, LLC, FC and hundreds with the protocol 0x####, where #### varies, but I recorded an 
example - 2c03, so one of the packets reported its protocol as 0x2c03 Hundreds of others with similar notation, but 
different values for ####.

Dozens of different sources and destinations, all apparently MAC addresses, none of the IP addresses as I had been 
seeing in the source and destination columns.

All of a sudden the anomalous packets cleared and wireshark began reporting the normal traffic I had been seeing.

Then, it did it again, as described above. Hundreds of nonsense packets, malformed packets rampant. I assumed that I 
had detected a hardware malfunction on the network, or an EMF problem or something highly unusual. (Note that this is 
what I am looking for, as I mentioned I have a real problem I'm trying to solve here involving seemingly random 
database crashes.)


Here is the mystery; when I look at the captured files, none of the anomalous noise and mess which I witnessed and 
noted during the live capture is recorded in the captured files! The packets look normal.  I actually made notes about 
some of the packets and I recorded them by packet number and description, and file name, while the reported strange 
behavior was occurring. But when I look at those capture files, those same packets look totally different from what I 
saw and what I noted during the live stream.

This is very puzzling to me. 

Insight? Recommended reading? Sympathy?
(btw, I have a sane witness to this event, I'm sure I'm not making it up).

thanks!

Larry
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe