Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] dropped packets stats for dumpcap/tshark ring buffer mode

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Filonenko Alexander-AAF013 <Alex.Filonenko@xxxxxxxxxxxx>
Date: Thu, 9 Oct 2008 10:59:50 -0400
Jaap,

Thanks for looking into this.

> When 36 ethernet ports can cause packet drops on the capture
> interface then probably the monitor port will be dropping
> packets too. How are you going to account for that?

There is no single monitor port. The 36 ports are the monitor ports with 36 instances of tshark (one port - one tshark) running in buffer ring mode.

Number of ports should not affect complexity of solution, I hope.

Let's consider scenario with one port and one tshark instance.
When tshark runs 24/7 and I am examining a buffer taken 15 minutes ago, how do I know if any packets were dropped while the buffer was captured?

> > Ideally would like a separate file stored for each ring buffer by
> > tshark with number of packets dropped. Using Perl with
> Net::Pcap might
> > be able to help determine if packets were dropped in real-time (not
> > sure if this is going to work with tshark).
> > Any other approaches?

Thanks,
Alex



> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Jaap Keuter
> Sent: Thursday, October 09, 2008 1:43 AM
> To: Developer support list for Wireshark
> Subject: Re: [Wireshark-dev] dropped packets stats for
> dumpcap/tshark ring buffer mode
>
> Hi,
>
> Thinking about this makes me wonder if this is sufficient.
> When 36 ethernet ports can cause packet drops on the capture
> interface then probably the monitor port will be dropping
> packets too. How are you going to account for that?
>
> Thanks,
> Jaap
>
> Filonenko Alexander-AAF013 wrote:
> > Using tshark ring buffer mode on a server capturing data
> 24/7 from 36
> > Ethernet ports. Users are taking ring buffers as needed via remote
> > access and some scripts which simplify access/merge/processing.
> >
> > Traffic is bursty and I need to know if any packets were
> dropped while
> > particular ring buffer file was captured. Obviously could
> get summary
> > of how many packets were dropped when tshark is stopped, but it is
> > running 24/7 and should not stop.
> >
> > Ideally would like a separate file stored for each ring buffer by
> > tshark with number of packets dropped. Using Perl with
> Net::Pcap might
> > be able to help determine if packets were dropped in real-time (not
> > sure if this is going to work with tshark).
> > Any other approaches?
> >
> > Thank you,
> > Alex Filonenko
> >
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-dev
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube