Wireshark-dev: Re: [Wireshark-dev] recv/drop numbers in pcapng files
From: Michael Tuexen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Wed, 25 Apr 2012 21:08:51 +0200
On Apr 25, 2012, at 8:50 PM, Anders Broman wrote: > Michael Tuexen skrev 2012-04-25 20:08: >> Dear all, >> >> I'm trying to fix >> >> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7191 >> >> >> In a pcapng file, we report according to >> >> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionisb >> >> >> isb_ifrecv: Number of packets received from the physical interface >> starting from the beginning of the capture. >> isb_ifdrop: Number of packets dropped by the interface due to lack >> of resources starting from the beginning of the capture. >> >> However, we have no chance to report the packets dumpcap dropped. This yields to >> the following exmaple: >> >> [mba:~/Documents/wireshark/trunk] tuexen% ./dumpcap -i lo0 -i en0 -w >> test.pcapng >> Capturing on lo0 and en0 >> File: test.pcapng >> Packets captured: 98711 >> Packets received/dropped on interface lo0: 98603/16405 (85.7%) >> Packets received/dropped on interface en0: 108/0 (100.0%) >> >> This means: 98711 packets have been written to the test.pcapng file. >> >From these 98711 packets, 98603 where received on lo0, 108 on en0. >> >> All packets of the en0 interface have been written to the file. >> >> 16405 packets which where on the lo0 interface have been dropped. >> So 98603+16405 packets have been seen on lo0. This is 115008. >> >> What gets written to the Interface Statistics Block: >> isb_ifrecv 115008, >> isb_ifdrop 102. >> >> This means: 115008 packets where received by the libpcap, 102 have been dropped >> by the libpcap, and 16303 have been dropped by dumpcap. >> >> How should we fix this? Include the packets dropped by dumpcap in isb_ifdrop >> (somewhat violating the spec)? Or add a new option to the ISB where we can provide >> the number of packets dropped by dumpcap? >> >> Any idea welcome? >> > Could we use > isb_usrdeliv 8 8 Number of packets delivered to the user starting from the beginning of the capture. The value contained in this field can be different from the value 'isb_filteraccept - isb_osdrop' because some packets could still lay in the OS buffers when the capture ended. > To compute the packets droped by dumpcap? It does not really fit... The packets are received by dumpcap and dropped by dumpcap. This doesn't fit to the above description. I do know how many packets are dropped by dumpcap, I just don't know how to store it in the pcapng file. As a user, it is important for me that packets have been dropped, no matter why... Best regards Michael > /Anders >> Best regards >> Michael >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list >> <wireshark-dev@xxxxxxxxxxxxx> >> >> Archives: >> http://www.wireshark.org/lists/wireshark-dev >> >> Unsubscribe: >> https://wireshark.org/mailman/options/wireshark-dev >> >> >> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe >> >> >> > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-dev] recv/drop numbers in pcapng files
- From: Michael Tuexen
- Re: [Wireshark-dev] recv/drop numbers in pcapng files
- From: Anders Broman
- [Wireshark-dev] recv/drop numbers in pcapng files
- Prev by Date: Re: [Wireshark-dev] recv/drop numbers in pcapng files
- Next by Date: Re: [Wireshark-dev] recv/drop numbers in pcapng files
- Previous by thread: Re: [Wireshark-dev] recv/drop numbers in pcapng files
- Next by thread: Re: [Wireshark-dev] recv/drop numbers in pcapng files
- Index(es):
- Get Wireshark
- Download
- Code of Conduct