Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: recv/drop numbers in pcapng files

From: Michael Tuexen <Michael.Tuexen () lurchi franken de>
Date: Wed, 25 Apr 2012 21:08:51 +0200
On Apr 25, 2012, at 8:50 PM, Anders Broman wrote:


Michael Tuexen skrev 2012-04-25 20:08:

Dear all,

I'm trying to fix

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7191


In a pcapng file, we report according to

http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionisb


isb_ifrecv: Number of packets received from the physical interface
            starting from the beginning of the capture.
isb_ifdrop: Number of packets dropped by the interface due to lack
            of resources starting from the beginning of the capture.

However, we have no chance to report the packets dumpcap dropped. This yields to
the following exmaple:

[mba:~/Documents/wireshark/trunk] tuexen% ./dumpcap -i lo0 -i en0 -w
test.pcapng 
Capturing on lo0 and en0
File: test.pcapng
Packets captured: 98711
Packets received/dropped on interface lo0: 98603/16405 (85.7%)
Packets received/dropped on interface en0: 108/0 (100.0%)

This means: 98711 packets have been written to the test.pcapng file.

From these 98711 packets, 98603 where received on lo0, 108 on en0.


All packets of the en0 interface have been written to the file.

16405 packets which where on the lo0 interface have been dropped.
So 98603+16405 packets have been seen on lo0. This is 115008.

What gets written to the Interface Statistics Block:
isb_ifrecv 115008,
isb_ifdrop 102.

This means: 115008 packets where received by the libpcap, 102 have been dropped
by the libpcap, and 16303 have been dropped by dumpcap.

How should we fix this? Include the packets dropped by dumpcap in isb_ifdrop
(somewhat violating the spec)? Or add a new option to the ISB where we can provide
the number of packets dropped by dumpcap?

Any idea welcome?


Could we use 
isb_usrdeliv  8       8       Number of packets delivered to the user starting from the beginning of the capture. The 
value contained in this field can be different from the value 'isb_filteraccept - isb_osdrop' because some packets 
could             still lay in the OS buffers when the capture ended.
To compute the packets droped by dumpcap?

It does not really fit... The packets are received by dumpcap and dropped by dumpcap.
This doesn't fit to the above description.

I do know how many packets are dropped by dumpcap, I just don't know how to
store it in the pcapng file. As a user, it is important for me that packets
have been dropped, no matter why...

Best regards
Michael

/Anders

Best regards
Michael


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list 
<wireshark-dev () wireshark org>

Archives:    
http://www.wireshark.org/lists/wireshark-dev

Unsubscribe: 
https://wireshark.org/mailman/options/wireshark-dev

             
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe





___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: