Issue encountered with both Wireshark 2.2.7/Windows 7 and Wireshark 2.2.6/Ubuntu. Capture file contains 2205662 packets; packets truncated at 96 bytes during capture. Statistics->Packet Lengths displays as follows:
So, Wireshark sees all 2205662 packets, and identifies a max size of 62702 bytes...but displays a count of 0 for lengths "5120 and greater". If I apply a display filter of "frame.len > 5119", Wireshark finds/displays 46973 packets, as expected; that number accounts for the discrepancy between the total count in Statistics->Packet Lengths and the displayed counts in the histogram. Did I miss a configuration in Preferences, or is this a bug? On a whim, I unchecked "assume short frames" in Ethernet preferences, but that change did not affect this behavior. asked 22 Jun '17, 10:38  wesmorgan1 |
One Answer:
OK, I'm calling this a bug. Bug 13844 opened against Wireshark 2.2.7 answered 23 Jun '17, 14:38 wesmorgan1 |
If you think this is a bug please file a bugreport at BugZilla including the capture file and these numbers. That gives someone to work with investigating the situation and test possible corrections.
I'll do just that, as soon as I anonymize the trace - I was only doing 'due diligence' to make sure I hadn't missed anything (configuration, preferences, capture options, whatever) on my end before opening a bug report. Thanks!