This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

what does “packets dropped” really mean ?

3
2

hi experts -

I am running a capture with dumpcap and rawshark on a very busy machine. I usually get a report like "Packets: 100847 Packets dropped: 1124898" from dumpcap (when I am killing it after 100,000 packets).

dumpcap process is configured to capture on:

  1. one of 8 interfaces
  2. tcp port 80

(example:/root/monitor/wireshark-1.4.2/.libs/dumpcap -w- -f tcp port 80 -i eth4)

does the "packet dropped" count include packets from :

  1. other interfaces
  2. non tcp / non port 80 ,

or is it just packets dropped to dumpcap not being able to capture fast enough ? is there a general way to check the reason for dropped packets ?

thanks - Yoav.

asked 02 Feb '11, 01:40

yoav's gravatar image

yoav
86239
accept rate: 0%

edited 02 Feb '11, 01:44


One Answer:

7

It means "packets dropped because they came in too fast for dumpcap to save"; the packet capture mechanisms that libpcap/WinPcap use (dumpcap, like tcpdump and many other packet-capture programs, uses libpcap/WinPcap) have a buffer into which packets received from the network are dumped, and if that buffer isn't emptied fast enough by the application, packets that arrive will be discarded. That's what the mechanisms count as dropped packets.

answered 02 Feb '11, 18:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%