Wireshark-users: [Wireshark-users] Possible bug in Wireshark/Tshark Conversations Counters
I believe that some of the Conversation counters do not operate correctly
when packets have been captured with a packet length limit (or -s in
tshark).
This is very simple to check.
Start a capture. Browse a web site. Stop the capture. Run the
Statistics-->Summary option to get an idea of how many packets and bytes
have been captured. Run the Statistics-->Conversations option and the
Ethernet, IPv4 and TCP numbers should all make sense.
Repeat the above but before starting the capture limit the packet length to
128bytes. The Ethernet and IPv4 counters will massively under-report the
numbers but the TCP numbers look correct.
I suspect that the Ethernet and IPv4 counters are not counting truncated
packets.
I have checked back using an old software revision (ethereal 0.10.13) and
the numbers worked correctly then.
Please can someone else check this to see if my report above is correct.
Thanks, Tim Everitt.