This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Two different packet numbers in one line. Why?

0

Can anybody explain why do tshark shows two different packet numbers in one line?

[email protected]:~# tshark -a duration:10 -ni eth0 -f "host not 192.168.88.28" tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. Running as user "root" and group "root". This could be dangerous. Capturing on 'eth0' 1 0.000000 192.168.8.153 -> 188.226.182.180 ICMP 98 Echo (ping) request id=0x2b13, seq=2/512, ttl=64 2 0.041023 188.226.182.180 -> 192.168.8.153 ICMP 98 Echo (ping) reply id=0x2b13, seq=2/512, ttl=53 (request in 1) 2 3 2.002165 192.168.8.153 -> 188.226.182.180 ICMP 98 Echo (ping) request id=0x2b13, seq=3/768, ttl=64 4 2.043022 188.226.182.180 -> 192.168.8.153 ICMP 98 Echo (ping) reply id=0x2b13, seq=3/768, ttl=53 (request in 3) 4 5 4.004166 192.168.8.153 -> 188.226.182.180 ICMP 98 Echo (ping) request id=0x2b13, seq=4/1024, ttl=64

asked 01 Sep '14, 04:22

insekt's gravatar image

insekt
11224
accept rate: 0%

[email protected]:~# tshark -v tshark: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user. TShark 1.10.6 (v1.10.6 from master-1.10)

Copyright 1998-2014 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.39.91, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without Python, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP.

Running on Linux 3.13.0+, with locale C.UTF-8, with libpcap version 1.5.3, with libz 1.2.8.

Built using gcc 4.8.2.

(01 Sep '14, 04:23) insekt

It seems it's a bug. The second number is a overall counter of captured packets.

(01 Sep '14, 07:40) insekt

One Answer:

0

This is a bug that's fixed in 1.12 but not in 1.10; for some reason I didn't backport the fix, perhaps because I thought it might not work in the older version.

It's actually a straightforward fix, so I backported it. The next 1.10 release, 1.10.10, should have the fix whenever it comes out.

answered 01 Sep '14, 15:53

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Is it possible to install 1.12 on ubuntu 14.04 armhf? This bug is very annoying me and force me to invent strange workarounds in my scripts, I've started to use tshark on a daily basis. Or at least push the next 1.10 release.

(12 Sep '14, 04:47) insekt

Using a a distro release (e.g. Ubuntu) of Wireshark means you are generally going to be running behind the current Wireshark releases.

To get up to date on Ubuntu you'll likely have to build it yourself, the Developers Guide gives full details for doing that.

(12 Sep '14, 04:59) grahamb ♦

Even if 1.10.10 is pushed Ubuntu 14.04 LTS will probably not pick it up as they only do sequrity fixes :-(

You could build 1.12 or the development version from source.

(12 Sep '14, 05:01) Anders ♦