Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Yet another dropped packets thread

From: Daniel Harrison <nixscripter@xxxxxxxxx>
Date: Sun, 14 Dec 2008 16:02:49 -0600
Hello everyone.

I'm running Linux, Ubuntu 8.10 to be exact, and darn it, my copy of wireshark is dropping packets! About a third of them!

I'm sure you get this a lot, but before you close the window this message is sitting in, let me explain why I am writing to this mailing list.

The suggestions on the wiki don't help much:

1. Try tcpdump/pcap. I did, and tcpdump drops them too. This might have to do with the pcap library underlying them both. 2. Get a faster hard drive. The packet drops also happen when I use tmpfs, i.e. a hard drive with a throughput of 660 MB per second. I don't think that's it. 3. Get a faster network card. It's a wireless card running in 802.11b mode with very few retransmits. The application also receives everything fine; if it didn't, TCP would cause retransmits (I'm looking at HTTP traffic), so it's not the network layer's fault. 4. Get a faster machine. I don't think this is a problem, because I have a 10-year-old 1 GHz Pentium III with a junky ethernet card which drops nothing. The machine in question is a dual core 1.5 GHz Intel Pentium M laptop. Both run Linux, by the way.

Number four, in particular, is the reason I am writing to this mailing list. It is why I am convinced the problem is in software somewhere.

So my question really is more specific: what software settings (particularly those relating to libpcap) can I tweak to help this problem? For example, is there a way to change the size of pcap's magic packet buffer? Or, is there some clever thing I can do with virtual device interfaces (like a TAP device) to make the packets go through wireshark to get to their destination or else?

Thanks in advance.
--
Dan Harrison