Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 3205] New: tshark reports wrong number of bytes on big dum

Date: Fri, 16 Jan 2009 12:06:12 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3205

           Summary: tshark reports wrong number of bytes on big dumpfiles
                    with -z io,stat
           Product: Wireshark
           Version: 1.0.5
          Platform: PC
        OS/Version: FreeBSD
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: jerous@xxxxxxxxx


Build Information:
tshark -v
TShark 1.0.5

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 1.2.10, with libpcap 0.9.8, with libz 1.2.3, without POSIX
capabilities, with libpcre 7.8, with SMI 0.4.7, with ADNS, without Lua, without
GnuTLS, without Gcrypt, with Heimdal Kerberos.

Running on FreeBSD 7.0-RELEASE-p4, with libpcap version 0.9.8.

Built using gcc 4.2.1 20070719  [FreeBSD].
--
If requesting stats from tshark on a big (the problem occured here with an file
of approximately 700 MB) with tshark -z io,stat,3600 file.cap (file.cap's
timespan is exactly 3600 seconds), then it reports wrong number of bytes.

How to reproduce: get a big pcap-file, and run tshark -q -r file.cap -z
io,stat,3600 against it.

Actual results: number of reported total bytes is too low.

Expected results: same number of bytes as reported by other programs, like
capinfos.

Additional information:
Examples
file1 (700MB) contains IEEE 802.11 traces, file2 (1000MB) Ethernet packets.
The results shown by capinfos are confirmed by running other programs (libtrace
and tcpstat).

BYTES    file1 (700MB) file2 (1000MB)
--------------------------------------
tshark   1476298076    99035452
capinfos 14361199964   12983937340

PACKETS  file1         file2
--------------------------------------
tshark   17043153      14938985
capinfos 17043153      14938985

Thus the number of packets is reported correctly, only the number of bytes
seems to be wrong.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.