On Apr 25, 2012, at 8:51 PM, Guy Harris wrote:
>
> On Apr 25, 2012, at 11:08 AM, Michael Tuexen wrote:
>
>> However, we have no chance to report the packets dumpcap dropped.
>
> Where does dumpcap itself drop packets? Is this referring to the fact that,
> on some platforms, the OS's capture mechanism
When using threads, we run a thread for each source. Once the packet has been
read it is
stored in a queue. The main thread takes the packets out of the queue and
writes it to
the capture file.
The main reason for dumpcap dropping packets is if the queue exceeds some limits
(we limit the number of packets and the number of bytes).
Best regards
Michael
> reports received packets as "packets received by the capture mechanism"
> rather than "packets received by the capture mechanism *and read into
> userland*" (and even *that* could be less than "... *and processed by the
> application*")?
>
> $ man bpf
>
> ...
>
> BIOCGSTATS (struct bpf_stat) Returns the following structure of
> packet statistics:
>
> struct bpf_stat {
> u_int bs_recv; /* number of packets received */
> u_int bs_drop; /* number of packets dropped */
> };
>
> The fields are:
>
> bs_recv the number of packets received by the
> descriptor since opened or reset (*including any buffered since the last read
> call*); and
>
> (emphasis mine)?
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <[email protected]>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:[email protected]?subject=unsubscribe
>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
