This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark selectively displaying packets?

0

I have noticed that when I am sending/receiving 'too many' packets through my interface, that some don't get displayed in wireshark, but I know that they are being transmitted. For example, once that I started receiving many UDP packets, my ping that was running in the background didn't show up in wireshark, yet was successfully comunicating in the background. What is the reason for this, and how can I make sure that I know all what is being communicated between two devices?

asked 23 Mar '14, 04:50

itrustedyou's gravatar image

itrustedyou
1334
accept rate: 0%

2 Answers:

1

Try increasing the buffer size in the capture options and don't use Update list of packets in real time.

Please read http://wiki.wireshark.org/Performance for more info.

answered 23 Mar '14, 08:54

Roland's gravatar image

Roland
7642415
accept rate: 13%

This is useful info, but I still don't receive many packets that I know are being transmitted, even with this option!

(24 Mar '14, 11:13) itrustedyou

Have you also tried increasing the buffer size when capturing with dumpcap?

You can use a hardware based capture device if you need to see everything. There was a presentation about capture drops at SharkFest 2013 - PA-05

http://sharkfest.wireshark.org/sharkfest.13/index.html

(24 Mar '14, 13:12) Roland

ok just saw this. Wow, that sharkfest looks damn cool. I'll look at the presentation in the next couple of days. Thank you!!

(07 Apr '14, 02:36) itrustedyou

1

Best capture performance is achieved by not using Wireshark to capture the data, but to run dumpcap on a command line. Dumpcap is the tool that Wireshark uses to capture packets and re-reads the file constantly. If you need maximum capture performance it is best to avoid using Wireshark while dumpcap is capturing. You can find dumpcap in the Wireshark installation directory.

Use "dumpcap -D" to get a list of available capture interfaces and their indexes, then run "dumpcap -i [interfaceindex] -w [filename]" to capture on the interface you want.

answered 23 Mar '14, 09:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Ok, I have done this, but still I see only one packet(this is an improvement though) from ping, while I know that many are being transmitted back and forth. I don't know what else I can do?

(24 Mar '14, 11:11) itrustedyou