This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have polled asynchronously a SNMP device in a simulated network using a java file, written with SNMP API. In a 30 seconds of polling time, I have sent around 350000 V1 Get requests.

My SNMP API listener showing that all the request have been sent and got success response for each request. But when I capture the packets using wireshark, it is not showing that all the packets are sent. When I check the request id of the snmp packets in wireshark,I could able to find out that the last request's requst id is same to the total number of packets sent by SNMP API. But request id of some other SNMP packets are missing in the wireshark.

For a 1 second polling, all the packets are captured in wireshark successfully. But when the polling time is increased, packet missing is occurred. For a 30 second polling, 350k requests, wireshark missed around 3k requests. If my API showing that 350k requests was sent, the first request id in wireshark is 1 and the last request id is 350k. But in between 1 and 350k, some requests are missing in wireshark.

Is there any limitation for wireshark like that it can capture only a particular number of packets per second?

Why this scenario occurred? Please help me to figure out this.

Thanks in advance.

asked 20 Sep '15, 21:35

BlueMan's gravatar image

BlueMan
6113
accept rate: 0%

edited 21 Sep '15, 06:33

What version of what operating system are you capturing on? What does Wireshark show in the "About Wireshark" dialog?

(20 Sep '15, 22:13) Guy Harris ♦♦

I am using Ubuntu 12.04.5 LTS machine. In the "About Wireshark" dialog, its showing that ->

"Version 1.6.7

Copyright 1998-2012 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.10, with GLib 2.32.0, with libpcap (version unknown), with libz 1.2.3.4, with POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.5, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Dec 10 2011 11:43:10), without AirPcap.

Running on Linux 3.2.0-23-generic, with libpcap version 1.1.1, with libz 1.2.3.4, GnuTLS 2.12.14, Gcrypt 1.5.0.

Built using gcc 4.6.3."

(20 Sep '15, 23:11) BlueMan

Does the status bar at the bottom of Wireshark show any information about dropped packets when you stop the capture? I can't remember if your very old version did that?

(21 Sep '15, 07:21) grahamb ♦

I couldn't able to find out any such information in wireshark. Did the latest version have that type of information?

(21 Sep '15, 22:27) BlueMan

Running on Linux 3.2.0-23-generic, with libpcap version 1.1.1

Then you're running with a version of the Linux kernel with support for versions 1 (TPACKET_V1), 2 (TPACKET_V2), and 3 (TPACKET_V3) of the "turbopacket" memory-mapped capture mechanism and a version of libpcap that only supports versions 1 and 2.

TPACKET_V3 is a LOT better than TPACKET_V1 and TPACKET_V2 for packet capture; it makes MUCH more efficient use of the kernel capture buffer space. Libpcap 1.1.1 makes better use of the TPACKET_V1/TPACKET_V2 mechanism's buffer space than did even older versions, but that's still not enough to make it work really well.

If you could download, for example, the libpcap 1.7.4 source, compile it, install it, and rebuild Wireshark from source, linking it with the installed version of libpcap, that will probably drop a lot fewer packets, as it'll be using TPACKET_V3 - it might even be able to capture the fast burst of traffic (11666 packets per second!) without dropping packets. A worst-case scenario for TPACKET_V1 and TPACKET_V2 is a lot of small packets - each of the slots in the kernel's buffer for TPACKET_V1 and TPACKET_V2 can hold only one packet, no matter how small the packets are, so small packets waste a lot of space, whereas a slot for TPACKET_V3 can hold as many packets as will fit in the slot, and the smaller the packets, the more will fit.

permanent link

answered 21 Sep '15, 00:58

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

"If you could download, for example, the libpcap 1.7.4 source, compile it, install it, and rebuild Wireshark from source, linking it with the installed version of libpcap, that will probably drop a lot fewer packets, as it'll be using TPACKET_V3"

Please explain the detailed steps so that I can do this in my Ubuntu 12.04.5 LTS machine and test it.

Thanks a lot for your guidance.

(21 Sep '15, 01:32) BlueMan

I'm not sure about libpcap, but for building Wireshark see the Developers Guide.

On Ubuntu previously I've used sudo apt-get build-dep wireshark to get all the dependencies, and then used CMake to build (look at readme.CMake in the Wireshark top level sources).

(21 Sep '15, 07:25) grahamb ♦

I have updated wireshark from 1.6.7 to 1.8.2 using the commands : "sudo add-apt-repository ppa:eugenesan/ppa sudo apt-get update sudo apt-get install wireshark".

In this one also the libcap version is 1.1.1. Packet missing is occuring in this 1.8.2 version also, when I used the SNMP API polling java file.

When I used a script file using the netsnmp command for polling, out of 300000 requests, 287 were missing. The script file content is given below. "for (( i=1; i<=300000; i++ )) do snmpget -v 1 -c public -t 5 1.1.1.1:8001 .1.3.6.1.2.1.1.1.0 done "

The request per second sent by the netsnmp script file is very much less than the request per second sent by the SNMP API java file. That may be the reason for the missing packet count is reduced for netsnmp request.

From this can I confirm that wireshark will miss packet capture for a large number of request per second?

(25 Sep '15, 02:25) BlueMan

I tried to install the wireshark 1.12.7 from www.wireshark.org, in my Ubuntu 12.04. I downloaded the source code for installation. But there was no make file present in that tar file, as said in the "https://www.wireshark.org/docs/wsug_html_chunked/ChBuildInstallUnixBuild.html"

Can you please help me how can I install wireshark 1.12.7 in my machine?

Is that version contain the latest libcap version so that there should not be any missing packets?

(25 Sep '15, 02:30) BlueMan

libpcap is a separate project, instructions on how to clone the repo and build are at http://www.tcpdump.org/#source.

For Wireshark we have the Developers Guide.

(25 Sep '15, 02:36) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12

question asked: 20 Sep '15, 21:35

question was seen: 2,290 times

last updated: 25 Sep '15, 02:56

p​o​w​e​r​e​d by O​S​Q​A