Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] recv/drop numbers in pcapng files

From: Michael Tuexen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Wed, 25 Apr 2012 21:08:51 +0200
On Apr 25, 2012, at 8:50 PM, Anders Broman wrote:

> Michael Tuexen skrev 2012-04-25 20:08:
>> Dear all,
>> 
>> I'm trying to fix
>> 
>> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7191
>> 
>> 
>> In a pcapng file, we report according to
>> 
>> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionisb
>> 
>> 
>> isb_ifrecv: Number of packets received from the physical interface
>>             starting from the beginning of the capture.
>> isb_ifdrop: Number of packets dropped by the interface due to lack
>>             of resources starting from the beginning of the capture.
>> 
>> However, we have no chance to report the packets dumpcap dropped. This yields to
>> the following exmaple:
>> 
>> [mba:~/Documents/wireshark/trunk] tuexen% ./dumpcap -i lo0 -i en0 -w
>> test.pcapng 
>> Capturing on lo0 and en0
>> File: test.pcapng
>> Packets captured: 98711
>> Packets received/dropped on interface lo0: 98603/16405 (85.7%)
>> Packets received/dropped on interface en0: 108/0 (100.0%)
>> 
>> This means: 98711 packets have been written to the test.pcapng file.
>> >From these 98711 packets, 98603 where received on lo0, 108 on en0.
>> 
>> All packets of the en0 interface have been written to the file.
>> 
>> 16405 packets which where on the lo0 interface have been dropped.
>> So 98603+16405 packets have been seen on lo0. This is 115008.
>> 
>> What gets written to the Interface Statistics Block:
>> isb_ifrecv 115008,
>> isb_ifdrop 102.
>> 
>> This means: 115008 packets where received by the libpcap, 102 have been dropped
>> by the libpcap, and 16303 have been dropped by dumpcap.
>> 
>> How should we fix this? Include the packets dropped by dumpcap in isb_ifdrop
>> (somewhat violating the spec)? Or add a new option to the ISB where we can provide
>> the number of packets dropped by dumpcap?
>> 
>> Any idea welcome?
>> 
> Could we use 
> isb_usrdeliv	8	8	Number of packets delivered to the user starting from the beginning of the capture. The value contained in this field can be different from the value 'isb_filteraccept - isb_osdrop' because some packets could             still lay in the OS buffers when the capture ended.
> To compute the packets droped by dumpcap?
It does not really fit... The packets are received by dumpcap and dropped by dumpcap.
This doesn't fit to the above description.

I do know how many packets are dropped by dumpcap, I just don't know how to
store it in the pcapng file. As a user, it is important for me that packets
have been dropped, no matter why...

Best regards
Michael
> /Anders
>> Best regards
>> Michael
>> 
>> 
>> ___________________________________________________________________________
>> Sent via:    Wireshark-dev mailing list 
>> <wireshark-dev@xxxxxxxxxxxxx>
>> 
>> Archives:    
>> http://www.wireshark.org/lists/wireshark-dev
>> 
>> Unsubscribe: 
>> https://wireshark.org/mailman/options/wireshark-dev
>> 
>>              
>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>> 
>> 
>> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe