Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Filonenko Alexander-AAF013 <Alex.Filonenko@xxxxxxxxxxxx>
Date: Thu, 9 Oct 2008 10:59:50 -0400

Jaap,

Thanks for looking into this.

> When 36 ethernet ports can cause packet drops on the capture
> interface then probably the monitor port will be dropping
> packets too. How are you going to account for that?

There is no single monitor port. The 36 ports are the monitor ports with 36 instances of tshark (one port - one tshark) running in buffer ring mode.

Number of ports should not affect complexity of solution, I hope.

Let's consider scenario with one port and one tshark instance.
When tshark runs 24/7 and I am examining a buffer taken 15 minutes ago, how do I know if any packets were dropped while the buffer was captured?

> > Ideally would like a separate file stored for each ring buffer by
> > tshark with number of packets dropped. Using Perl with
> Net::Pcap might
> > be able to help determine if packets were dropped in real-time (not
> > sure if this is going to work with tshark).
> > Any other approaches?

Thanks,
Alex



> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Thursday, October 09, 2008 1:43 AM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] dropped packets stats for
> dumpcap/tshark ring buffer mode
>
> Hi,
>
> Thinking about this makes me wonder if this is sufficient.
> When 36 ethernet ports can cause packet drops on the capture
> interface then probably the monitor port will be dropping
> packets too. How are you going to account for that?
>
> Thanks,
> Jaap
>
> Filonenko Alexander-AAF013 wrote:
> > Using tshark ring buffer mode on a server capturing data
> 24/7 from 36
> > Ethernet ports. Users are taking ring buffers as needed via remote
> > access and some scripts which simplify access/merge/processing.
> >
> > Traffic is bursty and I need to know if any packets were
> dropped while
> > particular ring buffer file was captured. Obviously could
> get summary
> > of how many packets were dropped when tshark is stopped, but it is
> > running 24/7 and should not stop.
> >
> > Ideally would like a separate file stored for each ring buffer by
> > tshark with number of packets dropped. Using Perl with
> Net::Pcap might
> > be able to help determine if packets were dropped in real-time (not
> > sure if this is going to work with tshark).
> > Any other approaches?
> >
> > Thank you,
> > Alex Filonenko
> >
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
  • Follow-Ups:
    • Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode
      • From: Jaap Keuter
  • References:
    • Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode
      • From: Jaap Keuter
  • Prev by Date: Re: [Wireshark-dev] displaying TLV parameters- proto_tree_add_item_hidden for type no longer available, now have one line for type, one line for value
  • Next by Date: Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode
  • Previous by thread: Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode
  • Next by thread: Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation