Hey there, I downloaded some of sample capture files from the wireshark store, and ran a test to see if there is any difference in packet counting between wireshark and tcpstat. And the answer is totally yes! Why is that so? I did the test with this file: http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=pgsql-jdbc.pcap.gz The display filter for wireshark I used, is "pgsql" and it gave me 9698 packets. But tcpstat with the same file and display filter "port postgres" gave me 12453 packets. Both of them counted the total packets 18472. Why is that so? Thanks asked 09 Jun '14, 00:53  abd |
One Answer:
Probably because you used "pgsql", which filters on the application protocol, which will leave out all TCP management packets (Three Way Handshake, empty ACK-Packets, Session Teardown). Try filtering on "tcp.port==5432" and you should get the correct number of packets. answered 09 Jun '14, 03:37  Jasper ♦♦ |
Soooo ture. Thank you veeery much. Then, according to the way the 2 do(Wireshark and bpf based tools) it, it seems wireshark would be a bit slower in large amounts, right?
Thanks
I'm pretty sure Wireshark does way more processing on packets than tcpstat does while reading a file, and it keeps more data in memory about what it saw in previous packets. That would make it slower, yes.