Ethereal-users: Re: [Ethereal-users] ethereal cannot caputure all of fragmented packets
On Mon, Jan 13, 2003 at 11:25:11AM -0500, lijian97@xxxxxxxxxxxx wrote:
> I am using ethereal 0.9.0 in Sun Solaris 9. When a huge packets is
> fragmentized to many small ones and sent to Sun machines. The ethereal
> cannot caputure all ofthem, only aprt of them are caputured. The snoop
> ( integrated in Sun ) can caputure all of them.
There are two reasons I can think of why this might happen:
1) there might be a problem with libpcap on Solaris that causes
all applications using libpcap - including Ethereal,
Tethereal, and tcpdump - to drop packets when snoop doesn't;
2) there might be a problem with Ethereal that causes it to drop
packets when other libpcap-based applications don't.
It might also be that both reasons cause packet drops in Ethereal.
The first thing to test would be to see whether Tethereal has the same
problem; if not, that makes it much more likely that it's a problem with
libpcap.
One such problem was mentioned in this libpcap bug report:
http://sourceforge.net/tracker/index.php?func=detail&aid=673958&group_id=53067&atid=469577
The bug complains that packet drops aren't reported as such by libpcap,
even though the packets *are* dropped. The bug *also* says that more
changes are needed in order not to drop packets at all.
Note that, at least according to "truss", "snoop":
1) does *not* set the SB_NO_DROPS flag;
2) *does* set the chunk size with SBIOCSCHUNK, although I don't
know what it sets the chunk size to;
whereas libpcap does set SB_NO_DROPS and does not set the chunk size.
It might be that snoop setting the chunk size and libpcap not doing so
makes a difference.