Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] recv/drop numbers in pcapng files

From: Michael Tuexen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Wed, 25 Apr 2012 20:08:56 +0200
Dear all,

I'm trying to fix
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7191

In a pcapng file, we report according to
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionisb

isb_ifrecv: Number of packets received from the physical interface
            starting from the beginning of the capture.
isb_ifdrop: Number of packets dropped by the interface due to lack
            of resources starting from the beginning of the capture.

However, we have no chance to report the packets dumpcap dropped. This yields to
the following exmaple:

[mba:~/Documents/wireshark/trunk] tuexen% ./dumpcap -i lo0 -i en0 -w
test.pcapng 
Capturing on lo0 and en0
File: test.pcapng
Packets captured: 98711
Packets received/dropped on interface lo0: 98603/16405 (85.7%)
Packets received/dropped on interface en0: 108/0 (100.0%)

This means: 98711 packets have been written to the test.pcapng file.
From these 98711 packets, 98603 where received on lo0, 108 on en0.

All packets of the en0 interface have been written to the file.

16405 packets which where on the lo0 interface have been dropped.
So 98603+16405 packets have been seen on lo0. This is 115008.

What gets written to the Interface Statistics Block:
isb_ifrecv 115008,
isb_ifdrop 102.

This means: 115008 packets where received by the libpcap, 102 have been dropped
by the libpcap, and 16303 have been dropped by dumpcap.

How should we fix this? Include the packets dropped by dumpcap in isb_ifdrop
(somewhat violating the spec)? Or add a new option to the ISB where we can provide
the number of packets dropped by dumpcap?

Any idea welcome?

Best regards
Michael