This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey there, I downloaded some of sample capture files from the wireshark store, and ran a test to see if there is any difference in packet counting between wireshark and tcpstat. And the answer is totally yes! Why is that so? I did the test with this file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=pgsql-jdbc.pcap.gz

The display filter for wireshark I used, is "pgsql" and it gave me 9698 packets. But tcpstat with the same file and display filter "port postgres" gave me 12453 packets. Both of them counted the total packets 18472.

Why is that so?

Thanks

asked 09 Jun '14, 00:53

abd's gravatar image

abd
21337
accept rate: 0%


Probably because you used "pgsql", which filters on the application protocol, which will leave out all TCP management packets (Three Way Handshake, empty ACK-Packets, Session Teardown). Try filtering on "tcp.port==5432" and you should get the correct number of packets.

permanent link

answered 09 Jun '14, 03:37

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Soooo ture. Thank you veeery much. Then, according to the way the 2 do(Wireshark and bpf based tools) it, it seems wireshark would be a bit slower in large amounts, right?

Thanks

(09 Jun '14, 04:15) abd
1

I'm pretty sure Wireshark does way more processing on packets than tcpstat does while reading a file, and it keeps more data in memory about what it saw in previous packets. That would make it slower, yes.

(09 Jun '14, 04:22) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×16
×13
×6
×2
×2

question asked: 09 Jun '14, 00:53

question was seen: 1,771 times

last updated: 09 Jun '14, 04:22

p​o​w​e​r​e​d by O​S​Q​A