I am using dumpcap (v1.12.1) on a Raspberry Pi 3 Model B to monitor incoming logging information over a full speed USB link attached to an embedded project. Input data rate is approximately 70KB/sec. The packet protocol is rather simple - a single byte of command (identifying the log source), a 16-bit byte count followed by some number of bytes of data. This is being sent over a Bulk Endpoint connection and byte counts are exactly 0x3000 for one log source and anywhere in the range 0x200-0x230 for the other. On the Pi I am using the command "dumpcap -i 8 -b filesize:10000 -b files:20 -w /mnt/Tap/logServer/LOGs/Wireshark/capt.pcap" to create a rolling list of 20 10MB files before the oldest is overwritten. When I compare the Wireshark display of a pcap file to the binary file of logged data, I'm seeing the first 32 bytes of data following the protocol header, followed by 96 bytes of data that shows up in the log file but not on the Wireshark display. This repeats through the end of each log packet - 32 bytes displayed, 96 bytes missing. I have checked dozens of packets and it's never more or less - always the same 32/96 mix. While I've used Wireshark for a number of years, I am relatively new to using it for USB and I am very new to using dumpcap, so I suspect I have something messed up in the configuration. I've been through the dumpcap manpage but don't see anything that might lead to what I'm seeing.
I'd be grateful if anyone has any ideas on what I'm doing wrong.
asked 17 Dec '16, 11:36