On Apr 25, 2012, at 8:50 PM, Anders Broman wrote: > Michael Tuexen skrev 2012-04-25 20:08: >> Dear all, >> >> I'm trying to fix >> >> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7191 >> >> >> In a pcapng file, we report according to >> >> http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html#sectionisb >> >> >> isb_ifrecv: Number of packets received from the physical interface >> starting from the beginning of the capture. >> isb_ifdrop: Number of packets dropped by the interface due to lack >> of resources starting from the beginning of the capture. >> >> However, we have no chance to report the packets dumpcap dropped. This >> yields to >> the following exmaple: >> >> [mba:~/Documents/wireshark/trunk] tuexen% ./dumpcap -i lo0 -i en0 -w >> test.pcapng >> Capturing on lo0 and en0 >> File: test.pcapng >> Packets captured: 98711 >> Packets received/dropped on interface lo0: 98603/16405 (85.7%) >> Packets received/dropped on interface en0: 108/0 (100.0%) >> >> This means: 98711 packets have been written to the test.pcapng file. >> >From these 98711 packets, 98603 where received on lo0, 108 on en0. >> >> All packets of the en0 interface have been written to the file. >> >> 16405 packets which where on the lo0 interface have been dropped. >> So 98603+16405 packets have been seen on lo0. This is 115008. >> >> What gets written to the Interface Statistics Block: >> isb_ifrecv 115008, >> isb_ifdrop 102. >> >> This means: 115008 packets where received by the libpcap, 102 have been >> dropped >> by the libpcap, and 16303 have been dropped by dumpcap. >> >> How should we fix this? Include the packets dropped by dumpcap in isb_ifdrop >> (somewhat violating the spec)? Or add a new option to the ISB where we can >> provide >> the number of packets dropped by dumpcap? >> >> Any idea welcome? >> > Could we use > isb_usrdeliv 8 8 Number of packets delivered to the user > starting from the beginning of the capture. The value contained in this field > can be different from the value 'isb_filteraccept - isb_osdrop' because some > packets could still lay in the OS buffers when the capture ended. > To compute the packets droped by dumpcap? It does not really fit... The packets are received by dumpcap and dropped by dumpcap. This doesn't fit to the above description.
I do know how many packets are dropped by dumpcap, I just don't know how to store it in the pcapng file. As a user, it is important for me that packets have been dropped, no matter why... Best regards Michael > /Anders >> Best regards >> Michael >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list >> <[email protected]> >> >> Archives: >> http://www.wireshark.org/lists/wireshark-dev >> >> Unsubscribe: >> https://wireshark.org/mailman/options/wireshark-dev >> >> >> mailto:[email protected]?subject=unsubscribe >> >> >> > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <[email protected]> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:[email protected]?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
