Re: Something that would be useful in Wireshark when dealing with dropped packets

[Richard Sharpe <realrichardsharpe () gmail com>]

On Mon, Dec 31, 2018 at 5:09 PM Guy Harris <guy () alum mit edu> wrote:
> On Dec 31, 2018, at 5:05 PM, Richard Sharpe <realrichardsharpe () gmail com> wrote:
>
> > However, I think maybe I have discovered how to prevent that. Increase
> > the buffer size given to dumpcap (2GB or more.)
>
> What happens if you use tcpdump rather than dumpcap?  At least at one point (I think when the changes to libpcap to 
> support memory-mapped packet capture on Linux were being done, the person who made them did some tests with and 
> without memory-mapped capture with both tcpdump and dumpcap) tcpdump lost significantly fewer packets than dumpcap 
> (probably due to the simpler capture code path).

I was capturing on Windows so, AFAIAA, tcpdump was not an option.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe