Wireshark-users: [Wireshark-users] Possible bug in Wireshark/Tshark Conversations Counters
From: "Tim Everitt" <tim.everitt@xxxxxxxx>
Date: Sat, 7 Apr 2007 08:48:21 +0100
I believe that some of the Conversation counters do not operate correctly when packets have been captured with a packet length limit (or -s in tshark).

This is very simple to check.

Start a capture. Browse a web site. Stop the capture. Run the Statistics-->Summary option to get an idea of how many packets and bytes have been captured. Run the Statistics-->Conversations option and the Ethernet, IPv4 and TCP numbers should all make sense. Repeat the above but before starting the capture limit the packet length to 128bytes. The Ethernet and IPv4 counters will massively under-report the numbers but the TCP numbers look correct.

I suspect that the Ethernet and IPv4 counters are not counting truncated packets.

I have checked back using an old software revision (ethereal 0.10.13) and the numbers worked correctly then.

Please can someone else check this to see if my report above is correct.

Thanks, Tim Everitt.