Hi experts, Would this kind of cases happen? - large amounts of data coming into the NIC. The NIC was cable of processing such amounts of data, but tshark, even dumpcap was not capable of handling this. We saw packet drop reported by tshark when capturing, does it really mean that we have data drop here? How to determine if the packet drop reported by tshark or dumpcap is real? thank you! asked 17 Aug '14, 20:44  SteveZhou |
One Answer:
Usually if tshark/dumpcap report dropped packets, there are dropped packets. You can manually verify this if you have lots of TCP packets, because you'll often see messages like "previous segment not captured" and "acked unseen segment". The first tells you that there is something missing (which could also be normal packet loss, of course), but the second tells you that Wireshark saw acknowledge packets for packets it doesn't have in the capture - those are usually dropped packets, as long as you have at least a few packets going both directions (otherwise you could suffer from asynchronous routing). answered 18 Aug '14, 00:36  Jasper ♦♦ |
Hi Jasper,
Sorry in advance if I misunderstood your answer above.
These two situation you mentioned could also due to huge amounts of incoming packets that tshark just cannot keep pace with it for capturing, but those packets were actually not dropped from the NIC's perspective. tshark said "I got packet drop", but the NIC do have sent the packets to the destination successfully. In this case, we cannot just conclude that we are having packets drop, right?
Okay, I think you're talking about a system capturing its own traffic (which is not a good idea, but sometimes it can't be helped). You need to distinguish between the normal send/receive and the additional capture process - drops are packets missing from the capture process, not the normal NIC operation. They don't affect normal communication, so packets will be sent and received even if the capture does not pick them up.
correct, that's what I'm talking about!
I think we can look at the captured trace and see if we got duplicate Ack and/or retransmissions. If that was the case, then we are hitting a real packet drop situation. Are you think so?