This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

limit number of packets I can see in wireshark???

0

Hi everyone,

I would be very grateful if someone can help. I have developed a tool for send files and I use wireshark for count the time of the transfer and the number of packets. The problem is when I send big files, i,e. I send a file of 200MB with UDP protocol so, I can see all the packets in the network.But wireshark sometimes is destroyed is because it can capture so many packets??always the maximum number of packets it show me is 224965 but I didnt put any limit in the program!Why this happen??I cant analyze the total traffic for sending big files...

Thank you very much for your help in advance, Iḿ a little desperate!!

Greetings, Susana

asked 14 Dec '10, 09:31

Susana26's gravatar image

Susana26
1222
accept rate: 0%


3 Answers:

0

First of all, Wireshark is not limited regarding the number of packets it can capture. If it always crashes at roughly the same packet number you should check if your disk is full. Wireshark captures into a temp file whenever you start capturing, and maybe that temp file is on a disk that doesn't have much room left.

You can see the name of the temp file in the status bar while you're capturing to find out where it is. Or you open the "About" dialog, go to the "Folders" tab and take a look at the "Temp" value.

If you have enough disk space you could try to capture by just running dumpcap instead. It is usually found in the same folder you installed Wireshark to. There are a couple of parameters that you can use to specify the NIC you want to capture on and where to write the trace file to.

answered 14 Dec '10, 09:38

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank a lot for your answer Jasper. I have looke if I have enough space in the Temp Folder, i.e in the disck I have 39 gb free so I think this is not the problem..

I have tried with tcpdump by command line. I´m only capturing the traffic in the localhost because now I have the client and the server in my own machine. What I obtained with tcpdump in the command line is next: - a number of packets captured - a number of packets received by filter - a number of packets dropped by kernel

What is the number of packets suppose in the network?Because I think I obtained different results than with wireshark or maybe I don´t how to interpret.

But I save the results in a log file that I open with wireshark. Tryin to process this file, wireshark closed and put me in the command line: "Memory Error wireshark [18289 Gslice: failed to allocate 2048 bytes (alignment:2048) cannot allocate memory Aborted"

I have a problem with memory but what?I really don´t understand what happens.

And another question for wireshark..I always see the convewrsations in stadisctics for study the number of packets sent and received by client and server and I always obtain the same number for sent and rreceived, I mean, I can´t see the number of loss packets in the network??Becuase I tried with putting loss packets and always obtain the same number for packets sents and for packets received..hw can I see the number of loss packets??Becuase all packets server sent cannot arrive to the client...

Thanks a lot for your help!!I need it very much!!

Greetings, Susana

(14 Dec '10, 13:22) Susana26

0

For more information on your "Out of memory" issue and some possible remedies, refer to http://wiki.wireshark.org/KnownBugs/OutOfMemory.

My general advice when performing long-term capturing in order to avoid such memory-related problems and to leave yourself with more manageable capture files is:

  • As Jasper already mentioned, run dumpcap instead of Wireshark.
  • Specify the most stringent capture filter you can in order to avoid capturing packets that you are not concerned with. This is not always easy/feasible depending on what you're trying to analyze, but in your case it sounds like you are only concerned with certain UDP packets. Furthermore, if you know the UDP port numbers or the specific host(s) involved, you can also further qualify the capture filter with that information as well. Click here for more information on capture filters.
  • Don't capture in promiscuous mode unless you need to.
  • If you don't necessarily care about capturing every byte of every packet, you might choose to reduce the snaplen in order to limit the number of bytes captured per packet.
  • Run dumpcap with the "-b filesize:NUM" option to limit the size of each capture file to some reasonable maximum. This will make each capture file a little easier to deal with. If you need to analyze data split across multiple files, you can always recombine the capture files later using mergecap.
  • Run dumpcap with the "-b files:NUM" option to ensure that you don't completely fill your disk, which could happen, depending on much data you are capturing and for how long.

For full dumpcap usage, refer to the Section D.4 of the user guide.

answered 14 Dec '10, 18:05

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks cmaynard, but with dumpcap I have the same problems too :( I can´t understand why. I tried all the thing you told me but wireshark follow crashing when I send around 200 Mb from my server to my client.

And waht about ... I always see the conversations in stadistics for study the number of packets sent and received by client and server and I always obtain the same number for sent and rreceived, I mean, I can´t see the number of loss packets in the network??Because I tried with putting loss packets and always obtain the same number for packets sents and for packets received..how can I see the number of loss packets??Because all packets server sent cannot arrive to the client...

Maybe I´m not understanding quit well how works wireshark...

Thanks a lot for your help!! Greetings, Susana

(15 Dec '10, 04:19) Susana26

So you're using dumpcap to capture packets and Wireshark to post-analyze them, and Wireshark still crashes? It sounds like you don't have enough memory to analyze the complete capture file and need to split it up further. Or perhaps you're running an older version of Wireshark with known bugs that have been fixed in later releases. You haven't mentioned anything about your particular OS, Wireshark and [Win|lib]pcap versions. All of that information is available under Help -> About Wireshark.

As for your other question, I think it's better to ask it separately.

(15 Dec '10, 07:19) cmaynard ♦♦

Yes, it is.Wireshark still crashes when I use it only for analyze. Sorry for not give before the information. I´m using Ubuntu version 10.04 LTS in a disk of 40 gb but 37gb are free. The Wireshark is version 1.2.7 and in the dialog about puts: - Running on Linux 2.6.32-21-generic with libcap version 1.0.0

And the mistake I obtained when wireshark crashes is "Memory Error wireshark [18289 Gslice: failed to allocate 2048 bytes (alignment:2048) cannot allocate memory Aborted"

Thanks a lot for four help. As you can see I don´t know a lot about this.

(15 Dec '10, 13:19) Susana26

What UDP traffic does this capture file contain? It's possible you've encountered a dissector bug. If so, it might also be possible that this bug has already been fixed in the 1.4.x branch, so you might consider upgrading to 1.4.2. If an upgrade to 1.4.2 doesn't help, to help narrow down the problem, you could use editcap to recursively split the capture file until you're left with a much smaller capture file in which the problem is still evident, then you could post it to the developer's list or open a bug report, attaching the small capture file so someone could take a look at it.

(15 Dec '10, 13:35) cmaynard ♦♦

Each UDP packet only contain data because is what I send. The size of each packet of udp is 9488 bytes.

I tried the option of limit each packet data to 100 bytes but wireshark continues crashing :( Thanks for your help!

(15 Dec '10, 14:09) Susana26

0

Susana96,

The issue won't be the amount of disk space - you have plenty. The error message seems to indicate that Wireshark can't allocated memory. This is more likely pointing to RAM. On average if wireshark needs about 3 bytes of memory for every byte in the capture - so do get to the point in your capture of around 200MB, Wireshark will probably need about 600MB of RAM. Do you have enough RAM memory + swap space allocated? You can try running "top" in another window and watch what is happening to available memory while wireshark is loading your file.

Alternatively, there could be a bug in the dissector triggered by the packet you are reading. You might want to try and use "editcap" to either split up your capture into smaller chunks or isolate to the exact packets where the problem is arising. If it is a particular packet causing an issue you can then file a bug report.

Martin

answered 15 Dec '10, 22:12

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

Thanks Martin!I have tried top and I suppose you are correct, is a problem of RAM memory. I have tried to separet the results in different files and It seems to work that now it doesn´t crash.So the result of the number of packets it´s the sum of all thçese packets in the different files...

(16 Dec '10, 02:34) Susana26