Hi,
AFAIK this could only be happening when Wireshark gets out of whack when reading
your capture file, while the capture is running. That is why you can read the
all right afterwards. I assume the changeover between the two 'states' happens
with the changeover in capture file.
OF course this is not supposed to happen, but there are some intricate
interactions going on in ring buffer mode. A report of this at
bugs.wireshark.org would be appreciated.
Thanks,
Jaap
On 03/03/2011 07:33 AM, Larry Dieterich wrote:
Hi
This is my first post to this list, and I'm also new to Wireshark.
I am using Wireshark version 1.4.2 on Darwin 10.6.0 Mac OS 10.6.6. Libpcap version 1.1.1 with libz 1.2.5
I have a real-world problem that I'm trying to solve and I have a mystery on my hands. I've searched google and the archives to no avail. I'm hoping someone here can offer some insight.
Earlier today, I was running a capture on a Mac laptop using a USB to ethernet adapter connected to a managed 3Com switch. I was mirroring the traffic from the built-in ethernet on a computer of interest, to my monitoring port.
I had built a set of display filters during the running capture by right-clicking to exclude unwanted traffic so that I could focus on the traffic of interest. I was watching the flow and making paper notes about what I saw. It seemed to make sense.
I was also running a ring buffer capture of the stream to write the capture to sequentially numbered 20MB files on the local drive.
Suddenly, the content of the displayed packets changed radically. No more color tags on the packets, lots of packets reported as mal-formed. Very little TCP traffic. Lots of protocols labeled differently from what I had been seeing. Labels including; Ethernet II, LLC, FC and hundreds with the protocol 0x####, where #### varies, but I recorded an example - 2c03, so one of the packets reported its protocol as 0x2c03 Hundreds of others with similar notation, but different values for ####.
Dozens of different sources and destinations, all apparently MAC addresses, none of the IP addresses as I had been seeing in the source and destination columns.
All of a sudden the anomalous packets cleared and wireshark began reporting the normal traffic I had been seeing.
Then, it did it again, as described above. Hundreds of nonsense packets, malformed packets rampant. I assumed that I had detected a hardware malfunction on the network, or an EMF problem or something highly unusual. (Note that this is what I am looking for, as I mentioned I have a real problem I'm trying to solve here involving seemingly random database crashes.)
Here is the mystery; when I look at the captured files, none of the anomalous noise and mess which I witnessed and noted during the live capture is recorded in the captured files! The packets look normal. I actually made notes about some of the packets and I recorded them by packet number and description, and file name, while the reported strange behavior was occurring. But when I look at those capture files, those same packets look totally different from what I saw and what I noted during the live stream.
This is very puzzling to me.
Insight? Recommended reading? Sympathy?
(btw, I have a sane witness to this event, I'm sure I'm not making it up).
thanks!
Larry
