Wireshark · Ethereal-users: Re: [Ethereal-users] traffic analysis, help please

Ethereal-users: Re: [Ethereal-users] traffic analysis, help please

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Fri, 24 Dec 2004 11:03:47 -0800

Brian Davidson wrote:

Okay, I see that a TCP Packet was lost, but I guess I want a fullerdefinition of the word "lost". Yes, the packet might actually not bethere. Beyond that, how likely is it that the traffic was so heavy onthe line that Ethereal did not have resources to capture and save it? Ineed to know if "TCP Previous Segment Lost" means absolutely that it wasmissing, rather than "slipped past while Ethereal was busy". Is theresome other indicater in the capture file that traffic volume got highenough to affect the ability to record?

Unfortunately, there isn't. The "next-generation" version of thelibpcap format that's our native capture file format will

1) have the ability to put into the capture file a "statistics" recordindicating how many packets were reported by the host OS softwareEthereal uses to capture as having been received but discarded becausethe buffer for captured packets was full (note that some host OSsoftware might not provide this)

and

2) have the ability to record, for each packet, the number of packetsdiscarded for that reason since the previous packet *if* the host OSmakes that available (which, again, it might not be).

Even from that you can't know whether a lost segment was one of thepackets discarded by the host OS software. If you're capturing trafficthat is being sent to the machine doing the capture, note that a TCPsegment packet might be be processed by the host TCP stack, and the datain the segment supplied to whatever application is reading from the TCPconnection, *and* discarded by the capture code, because the capturecode might be capturing *all* packets and the buffer used by *it* mightnot be large enough, or the program doing the capturing might not beemptying it fast enough.

On OSes where the information for (1) is available, if you capture withEthereal, when the capture finishes it should report the total number ofpackets discarded ("Drops") in the left-hand box in the status bar atthe bottom of the display. That's not stored in the capture file, however.

References:
- Re: [Ethereal-users] traffic analysis, help please
  - From: Brian Davidson

Prev by Date: Re: [Ethereal-users] Can't get list of interfaces error
Next by Date: Re: [Ethereal-users] development information
Previous by thread: Re: [Ethereal-users] traffic analysis, help please
Next by thread: Re: [Ethereal-users] traffic analysis, help please
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$