Hey there, I downloaded some of sample capture files from the wireshark store, and ran a test to see if there is any difference in packet counting between wireshark and tcpstat. And the answer is totally yes! Why is that so? I did the test with this file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=pgsql-jdbc.pcap.gz
The display filter for wireshark I used, is "pgsql" and it gave me 9698 packets. But tcpstat with the same file and display filter "port postgres" gave me 12453 packets. Both of them counted the total packets 18472.
Why is that so?
asked 09 Jun '14, 00:53
Probably because you used "pgsql", which filters on the application protocol, which will leave out all TCP management packets (Three Way Handshake, empty ACK-Packets, Session Teardown). Try filtering on "tcp.port==5432" and you should get the correct number of packets.
answered 09 Jun '14, 03:37