Ethereal version 0.7.1, Linux Redhat 5.2, intel kernel 2.0.36, 350 BogoMIPS,
eepro100 i82557/i82558 10/100 Ethernet.
Whilst using ethereal -S yesterday I noticed that some packets had been missed,
I didn't repeat the analysis from a capture without '-S'.
When I had captured all that I wanted, I stopped the capture and found that
some tcp sequence numbers where missing by going through the list with a
calculator adding the offset (based on packet length) to the sequence
number to determine the next expected sequence number. Sometimes blocks
of several packets were missing but the dropped packet count was always zero.
I would guess that the dropped packet count is read from the Ethernet driver
somehow which either doesn't work with some drivers or ethereal doesn't alwa
ys read fast enough.
Assuming I don't miss understand the tcp protocol:
1) Could a dropped tcp packet count be derived by search through the captured
tcp streams? Probably this could only work at best like the semi-on-the-fly
display option or calculated just after capture has been stopped.
2) It could be handy to have more options for the displayed order of packets,
such as by correct sequence order, in other words, packet order sorting rather
than arrival time order.
----------------------------------
E-Mail: John Morris <john@xxxxxxxxxx>
Date: 12-Aug-99
Time: 15:56:50
This message was sent by XFMail
----------------------------------
