hi experts - I am running a capture with dumpcap and rawshark on a very busy machine. I usually get a report like "Packets: 100847 Packets dropped: 1124898" from dumpcap (when I am killing it after 100,000 packets). dumpcap process is configured to capture on:
(example:/root/monitor/wireshark-1.4.2/.libs/dumpcap -w- -f tcp port 80 -i eth4) does the "packet dropped" count include packets from :
or is it just packets dropped to dumpcap not being able to capture fast enough ? is there a general way to check the reason for dropped packets ? thanks - Yoav. asked 02 Feb '11, 01:40  yoav edited 02 Feb '11, 01:44 |
One Answer:
It means "packets dropped because they came in too fast for dumpcap to save"; the packet capture mechanisms that libpcap/WinPcap use (dumpcap, like tcpdump and many other packet-capture programs, uses libpcap/WinPcap) have a buffer into which packets received from the network are dumped, and if that buffer isn't emptied fast enough by the application, packets that arrive will be discarded. That's what the mechanisms count as dropped packets. answered 02 Feb '11, 18:49  Guy Harris ♦♦ |
