On Apr 25, 2012, at 12:06 PM, Michael Tuexen wrote:
> When using threads, we run a thread for each source. Once the packet has been read it is
> stored in a queue.
I'm assuming here that "stored in a queue" doesn't mean "the raw packet contents are copied", as that would add to dumpcap's memory bandwidth requirements and reduce its ability to avoid dropping packets, relative to the 1.6.x version of dumpcap; if the raw packet contents *are* copied, that's a bug.
Given that, I would be inclined to dynamically allocate the queue elements, which should be small as they don't have to include packet data, so that packets are dropped by the capture mechanism because dumpcap can't read them fast enough, but not by dumpcap itself.
If that's impossible, I would add "dropped by the capture mechanism" and "dropped by dumpcap" together and use that as a count of packets dropped.
