Ethereal-users: [Ethereal-users] RE: dropped packets sniffing gig ethernet

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "David Erickson" <derickson@xxxxxxx>
Date: Fri, 22 Mar 2002 11:36:17 -0800
Diana and Guy, thanks for all the suggestions: 

- incr. ram, 
- use tethereal or tcpdump
- modify the counter in ethereal
- rebuild the linux kernel with increased timestamp resolution

I'll try some of these and let you know the results.

-Dave

Message: 3
From: "Eichert, Diana" <deicher@xxxxxxxxxx>
To: "'ethereal-users@xxxxxxxxxxxx'" <ethereal-users@xxxxxxxxxxxx>
Subject: RE: [Ethereal-users] dropped packets sniffing gig ethernet
Date: Thu, 21 Mar 2002 13:13:49 -0700

> -----Original Message-----
> From: David Erickson [mailto:derickson@xxxxxxx]
> Sent: March 21, 2002 1:04 PM
> To: ethereal-users@xxxxxxxxxxxx
> Subject: [Ethereal-users] dropped packets sniffing gig ethernet
> 
> 
> I'm trying to sniff gigabit ethernet traffic (through a Cisco 
> 6500 switch using portspanning).  
> I am using an Intel gig ether NIC on a Windows P3 866, 256MB, 
> 512MB Swap with 
> 33mhz/64bit PCI bus running Win2k server.
> 
> The number of dropped packets is excessive (50%), which is 
> probably because the 
> workstation needs more horsepower.  I would like to spec out 
> a replacement system
> adequate for the task, so my question is, for anyone who is getting
> good results sniffing gigabit ethernet traffic, what is the 
> minimum configuration
> you've found is required?  Is Win2k up to the task, or should 
> I consider a different
> OS (e.g. NetBSD)?  Linux is probably not a viable alternative 
> due to the lack of
> timestamp resolution.
> 
> thanks--
> 
> Dave

Dave

I had an issue with Ethereal having excessive dropped packets on a 
well traveled GigE link.  I also tried sniffing via tethereal.  What 
I've noticed is that if I capture with tethereal and drop the capture 
counter into /dev/null that I can capture at a higher rate with fewer 
dropped packets.  On a GigE link ethereal/tethereal can spend a fair amount 
of time updating the captured packets counter.  I wrote a local hack 
which only wrote the number of packets captured at the end of capturing, 
not sure which system I did that on at the moment.  It was a fairly 
trivial hack.

Also, you want to make sure you are not using any of your swap.  Having 
to swap can slowdown even the fastest systems.  Most of my capture 
stations have at least 1GByte of RAM.

my U$.02



--__--__--

Message: 4
Date: Thu, 21 Mar 2002 12:32:40 -0800
From: Guy Harris <guy@xxxxxxxxxx>
To: "Eichert, Diana" <deicher@xxxxxxxxxx>
Cc: "'ethereal-users@xxxxxxxxxxxx'" <ethereal-users@xxxxxxxxxxxx>
Subject: Re: [Ethereal-users] dropped packets sniffing gig ethernet

On Thu, Mar 21, 2002 at 01:13:49PM -0700, Eichert, Diana wrote:
> I've noticed is that if I capture with tethereal and drop the capture 
> counter into /dev/null that I can capture at a higher rate with fewer 
> dropped packets.

Then a "-q" flag to Tethereal might be useful, as you may be able to
capture even faster if the capture counter isn't written at all.

It certainly shouldn't be the *only* behavior you get, though.  One
thing annoying about tcpdump, which behaves like

> I wrote a local hack 
> which only wrote the number of packets captured at the end of capturing, 
> not sure which system I did that on at the moment.  It was a fairly 
> trivial hack.

is that you don't know, until you terminate the capture, whether you're
seeing any traffic.  (Yes, you can use control-T on BSD systems with
recent versions of tcpdump, but not all systems support SIGINFO, so that
doesn't solve the problem.)

As for Ethereal, rather than Tethereal:

Microsoft Network Monitor has a "Dedicated Capture Mode", wherein it
closes the main window (I'm not sure why it has to do that) and
displays a box similar to our capture statistics box, with "Stop",
"Pause", "Stop and View", and "Normal Mode" buttons, and a
continually-updating captured-frame count.  That's not quite as quiet as
tcpdump, so it's still consuming CPU time and memory bandwidth updating
the captured frame count, but a mode similar to that might be useful.

(I don't see why Ethereal would need to close the main window - perhaps
on Windows just having it displayed at all consumes CPU time, or perhaps
there's no code path in Network Monitor to allow it to display the
window without updating all the things in it - but displaying only a
"Total" count might help.

I don't know if that'd be sufficiently quiet, though, so we might just
want to have a mode where all you get is a "Stop" button.)


--__--__--

Message: 5
From: "Broggy, David" <David.Broggy@xxxxxx>
To: "'ethereal-users@xxxxxxxxxxxx'" <ethereal-users@xxxxxxxxxxxx>
Date: Thu, 21 Mar 2002 14:39:27 -0600
Subject: [Ethereal-users] divide by zero when starting ethereal on nt 4.0 sp6.

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1D118.7EB97C30
Content-Type: text/plain;
	charset="iso-8859-1"


Any reason why I would be getting a dr. watson 'divide by zero' error when
starting ethereal 0.9.1 on windows nt 4.0 sp6 with a 3com token ring card
installed?

Your help is appreciated.

------_=_NextPart_001_01C1D118.7EB97C30
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<MANGLED_ON_PURPOSE_META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<MANGLED_ON_PURPOSE_META NAME=3D"Generator" CONTENT=3D"MS Exchange Server v=
ersion 5.5.2653.12">
<TITLE>divide by zero when starting ethereal on nt 4.0 sp6.</TITLE>
</HEAD>
<BODY>
<BR>

<P><FONT SIZE=3D2>Any reason why I would be getting a dr. watson 'divide by=
 zero' error when starting ethereal 0.9.1 on windows nt 4.0 sp6 with a 3com=
 token ring card installed?</FONT></P>

<P><FONT SIZE=3D2>Your help is appreciated.</FONT>
</P>

<BR><HR><TABLE BORDER=3D1 BGCOLOR=3D"white"><TR><TD><B>This message has bee=
n 'sanitized'.  This means that potentially
dangerous content has been rewritten or removed.  The following
log describes which actions were taken.
</B><P>
<pre><font color=3D"black">
Sanitizer (start=3D"1016743468"):
  Part (pos=3D"1532"):
    SanitizeFile (filename=3D"unnamed.txt", mimetype=3D"text/plain"):
      Match (rule=3D"2"):
        Enforced policy: accept

  Part (pos=3D"1810"):
    SanitizeFile (filename=3D"unnamed.html", mimetype=3D"text/html"):
      Match (rule=3D"default"):
        Enforced policy: accept

    Rewrote HTML tag: &gt;&gt;_META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"=
text/html; charset=3Diso-8859-1"_&lt;&lt;
                  as: &gt;&gt;_MANGLED_ON_PURPOSE_META HTTP-EQUIV=3D"Conten=
t-Type" CONTENT=3D"text/html; charset=3Diso-8859-1"_&lt;&lt;
    Rewrote HTML tag: &gt;&gt;_META NAME=3D"Generator" CONTENT=3D"MS Exchan=
ge Server version 5.5.2653.12"_&lt;&lt;
                  as: &gt;&gt;_MANGLED_ON_PURPOSE_META NAME=3D"Generator" C=
ONTENT=3D"MS Exchange Server version 5.5.2653.12"_&lt;&lt;
    Total modifications so far: 2


</font></pre>
<P>Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $
<P></TD></TR></TABLE>
</BODY>
</HTML>
------_=_NextPart_001_01C1D118.7EB97C30--

--__--__--

Message: 6
From: "Corpse" <ip-corpse@xxxxxxx>
To: "Ethereal" <ethereal-users@xxxxxxxxxxxx>
Date: Fri, 22 Mar 2002 10:58:52 +0300
Subject: [Ethereal-users] NMAKE: expanded command line '...' too long

This is a multi-part message in MIME format.

------=_NextPart_000_0080_01C1D190.8DAF3450
Content-Type: text/plain;
	charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

I`m trying to compile ethereal for windows using Microsoft`s Visual C...
NMAKE cries that he can`t expand command line for python... I don`t underst=
and... Did anyone ever really try to do this?
I have even killed all spaces between file names...

Making register.c
NMAKE : fatal error U1095: expanded command line '"D:\Programs\python.exe" =
make-reg-dotc.py . packet
-aarp.c packet-afs.c packet-aim.c packet-arp.c packet-ascend.c packet-atalk=
.c packet-atm.c packet-au
to_rp.c packet-bacapp.c packet-bacnet.c packet-bgp.c packet-bootp.c packet-=
bootparams.c packet-bpdu.
c packet-bvlc.c packet-bxxp.c packet-cdp.c packet-cgmp.c packet-chdlc.c pac=
ket-clip.c packet-clnp.c
packet-cops.c packet-cups.c packet-data.c packet-dcerpc.c packet-dcerpc-con=
v.c packet-dcerpc-epm.c p
acket-dcerpc-mgmt.c packet-dcerpc-remact.c packet-dcerpc-oxid.c packet-ddtp=
.c packet-dec-bpdu.c pack
et-diameter.c packet-dns.c packet-dsi.c packet-dvmrp.c packet-eigrp.c packe=
t-esis.c packet-eth.c pac
ket-ethertype.c packet-fddi.c packet-fr.c packet-frame.c packet-ftp.c packe=
t-giop.c packet-gnutella.
c packet-gre.c packet-gtp.c packet-gvrp.c packet-h1.c packet-h261.c packet-=
hclnfsd.c packet-hsrp.c p
acket-http.c packet-icmpv6.c packet-icp.c packet-icq.c packet-ieee80211.c p=
acket-ieee8023.c packet-i
gmp.c packet-igrp.c packet-imap.c packet-ip.c packet-ipp.c packet-ipsec.c p=
acket-ipv6.c packet-ipx.c
 packet-irc.c packet-isakmp.c packet-iscsi.c packet-isis.c packet-isis-clv.=
c packet-isis-hello.c pac
ket-isis-lsp.c packet-isis-snp.c packet-isl.c packet-isup.c packet-iua.c pa=
cket-kerberos.c packet-kl
m.c packet-l2tp.c packet-lapb.c packet-lapbether.c packet-lapd.c packet-lda=
p.c packet-ldp.c packet-l
lc.c packet-lmi.c packet-lpd.c packet-m2pa.c packet-m3ua.c packet-mapi.c pa=
cket-mbtcp.c packet-mip.c
 packet-mount.c packet-mpeg1.c packet-mpls.c packet-mrdisc.c packet-msdp.c =
packet-msnip.c packet-msp
roxy.c packet-mtp3.c packet-nbipx.c packet-nbns.c packet-ncp.c packet-ncp22=
22.c packet-netbios.c pac
ket-nfs.c packet-nisplus.c packet-nlm.c packet-nntp.c packet-ntp.c packet-n=
ull.c packet-osi.c packet
-osi-options.c packet-ospf.c packet-pgm.c packet-pim.c packet-pop.c packet-=
portmap.c packet-ppp.c pa
cket-pppoe.c packet-pptp.c packet-q2931.c packet-q931.c packet-quake.c pack=
et-quakeworld.c packet-qu
ake2.c packet-radius.c packet-ranap.c packet-raw.c packet-rip.c packet-ripn=
g.c packet-rlogin.c packe
t-rpc.c packet-rquota.c packet-rsh.c packet-rsvp.c packet-rtcp.c packet-rtp=
.c packet-rtsp.c packet-r
wall.c packet-rx.c packet-sap.c packet-sctp.c packet-sdp.c packet-sip.c pac=
ket-sll.c packet-smb.c pa
cket-smb-browse.c packet-smb-common.c packet-smb-logon.c packet-smb-mailslo=
t.c packet-smb-pipe.c pac
ket-smtp.c packet-sna.c packet-snmp.c packet-socks.c packet-spray.c packet-=
srvloc.c packet-sscop.c p
acket-ssl.c packet-stat.c packet-stat-notify.c packet-sual.c packet-syslog.=
c packet-tacacs.c packet-
tcp.c packet-telnet.c packet-tftp.c packet-time.c packet-tns.c packet-tpkt.=
c packet-tr.c packet-trma
c.c packet-udp.c packet-v120.c packet-vines.c packet-vlan.c packet-vrrp.c p=
acket-vtp.c packet-wccp.c
 packet-wcp.c packet-who.c packet-wap.c packet-wtls.c packet-wsp.c packet-w=
tp.c packet-x11.c packet-
x25.c packet-xot.c packet-yhoo.c packet-ypbind.c packet-yppasswd.c packet-y=
pserv.c packet-ypxfr.c pa
cket-zebra.c' too long
Stop.

Although officially ethereal is being compiled by NMAKE, actually it seems =
to be never tried by anyone...
Of course, may be I do something wrong...

Can anyone suggest me any solution for such situation?
I`ll try to learn python usage... But for first sight, I haven`t seen any o=
ption allowing to pass filenames by other way...


------=_NextPart_000_0080_01C1D190.8DAF3450
Content-Type: text/html;
	charset="koi8-r"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<MANGLED_ON_PURPOSE_META http-equiv=3DContent-Type content=3D"text/html; ch=
arset=3Dkoi8-r">
<MANGLED_ON_PURPOSE_META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<MANGLED_ON_PURPOSE_STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ebebeb>
<DIV><FONT face=3DArial size=3D2>I`m trying to compile ethereal for windows=
 using=20
Microsoft`s Visual C...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>NMAKE cries that he can`t expand command l=
ine for=20
python... I don`t understand... </FONT><FONT face=3DArial size=3D2>Did anyo=
ne ever=20
really try to do this?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I have even killed all spaces between file=
=20
names...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Making register.c<BR>NMAKE : fatal error U=
1095:=20
expanded command line '"D:\Programs\python.exe" make-reg-dotc.py .=20
packet<BR>-aarp.c packet-afs.c packet-aim.c packet-arp.c packet-ascend.c=20
packet-atalk.c packet-atm.c packet-au<BR>to_rp.c packet-bacapp.c packet-bac=
net.c=20
packet-bgp.c packet-bootp.c packet-bootparams.c packet-bpdu.<BR>c packet-bv=
lc.c=20
packet-bxxp.c packet-cdp.c packet-cgmp.c packet-chdlc.c packet-clip.c=20
packet-clnp.c<BR>packet-cops.c packet-cups.c packet-data.c packet-dcerpc.c=
=20
packet-dcerpc-conv.c packet-dcerpc-epm.c p<BR>acket-dcerpc-mgmt.c=20
packet-dcerpc-remact.c packet-dcerpc-oxid.c packet-ddtp.c packet-dec-bpdu.c=
=20
pack<BR>et-diameter.c packet-dns.c packet-dsi.c packet-dvmrp.c packet-eigrp=
.c=20
packet-esis.c packet-eth.c pac<BR>ket-ethertype.c packet-fddi.c packet-fr.c=
=20
packet-frame.c packet-ftp.c packet-giop.c packet-gnutella.<BR>c packet-gre.=
c=20
packet-gtp.c packet-gvrp.c packet-h1.c packet-h261.c packet-hclnfsd.c=20
packet-hsrp.c p<BR>acket-http.c packet-icmpv6.c packet-icp.c packet-icq.c=
=20
packet-ieee80211.c packet-ieee8023.c packet-i<BR>gmp.c packet-igrp.c=20
packet-imap.c packet-ip.c packet-ipp.c packet-ipsec.c packet-ipv6.c=20
packet-ipx.c<BR>&nbsp;packet-irc.c packet-isakmp.c packet-iscsi.c packet-is=
is.c=20
packet-isis-clv.c packet-isis-hello.c pac<BR>ket-isis-lsp.c packet-isis-snp=
.c=20
packet-isl.c packet-isup.c packet-iua.c packet-kerberos.c packet-kl<BR>m.c=
=20
packet-l2tp.c packet-lapb.c packet-lapbether.c packet-lapd.c packet-ldap.c=
=20
packet-ldp.c packet-l<BR>lc.c packet-lmi.c packet-lpd.c packet-m2pa.c=20
packet-m3ua.c packet-mapi.c packet-mbtcp.c packet-mip.c<BR>&nbsp;packet-mou=
nt.c=20
packet-mpeg1.c packet-mpls.c packet-mrdisc.c packet-msdp.c packet-msnip.c=
=20
packet-msp<BR>roxy.c packet-mtp3.c packet-nbipx.c packet-nbns.c packet-ncp.=
c=20
packet-ncp2222.c packet-netbios.c pac<BR>ket-nfs.c packet-nisplus.c packet-=
nlm.c=20
packet-nntp.c packet-ntp.c packet-null.c packet-osi.c packet<BR>-osi-option=
s.c=20
packet-ospf.c packet-pgm.c packet-pim.c packet-pop.c packet-portmap.c=20
packet-ppp.c pa<BR>cket-pppoe.c packet-pptp.c packet-q2931.c packet-q931.c=
=20
packet-quake.c packet-quakeworld.c packet-qu<BR>ake2.c packet-radius.c=20
packet-ranap.c packet-raw.c packet-rip.c packet-ripng.c packet-rlogin.c=20
packe<BR>t-rpc.c packet-rquota.c packet-rsh.c packet-rsvp.c packet-rtcp.c=
=20
packet-rtp.c packet-rtsp.c packet-r<BR>wall.c packet-rx.c packet-sap.c=20
packet-sctp.c packet-sdp.c packet-sip.c packet-sll.c packet-smb.c=20
pa<BR>cket-smb-browse.c packet-smb-common.c packet-smb-logon.c=20
packet-smb-mailslot.c packet-smb-pipe.c pac<BR>ket-smtp.c packet-sna.c=20
packet-snmp.c packet-socks.c packet-spray.c packet-srvloc.c packet-sscop.c=
=20
p<BR>acket-ssl.c packet-stat.c packet-stat-notify.c packet-sual.c=20
packet-syslog.c packet-tacacs.c packet-<BR>tcp.c packet-telnet.c packet-tft=
p.c=20
packet-time.c packet-tns.c packet-tpkt.c packet-tr.c packet-trma<BR>c.c=20
packet-udp.c packet-v120.c packet-vines.c packet-vlan.c packet-vrrp.c=20
packet-vtp.c packet-wccp.c<BR>&nbsp;packet-wcp.c packet-who.c packet-wap.c=
=20
packet-wtls.c packet-wsp.c packet-wtp.c packet-x11.c packet-<BR>x25.c=20
packet-xot.c packet-yhoo.c packet-ypbind.c packet-yppasswd.c packet-ypserv.=
c=20
packet-ypxfr.c pa<BR>cket-zebra.c' too long<BR>Stop.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Although&nbsp;officially&nbsp;ethereal&nbs=
p;is=20
being compiled by NMAKE, actually&nbsp;it seems to be never tried by=20
anyone...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Of course, may be&nbsp;I do something=20
wrong...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial size=3D2></FONT>=
&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>Can&nbsp;anyone suggest me any solution fo=
r such=20
situation?</FONT></DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>I`ll try to learn python usage...&nbsp;But=
 for=20
first sight,&nbsp;I haven`t seen any option&nbsp;allowing to&nbsp;pass file=
names=20
by other way...</FONT></DIV>
<DIV>&nbsp;</DIV></DIV></FONT></DIV></BODY><BR><HR><TABLE BORDER=3D1 BGCOLOR=3D"white"><TR><TD><B>This message has bee=
n 'sanitized'.  This means that potentially
dangerous content has been rewritten or removed.  The following
log describes which actions were taken.
</B><P>
<pre><font color=3D"black">
Sanitizer (start=3D"1016783946"):
  Part (pos=3D"1183"):
    SanitizeFile (filename=3D"unnamed.txt", mimetype=3D"text/plain"):
      Match (rule=3D"2"):
        Enforced policy: accept

  Part (pos=3D"5036"):
    SanitizeFile (filename=3D"unnamed.html", mimetype=3D"text/html"):
      Match (rule=3D"default"):
        Enforced policy: accept

    Rewrote HTML tag: &gt;&gt;_META http-equiv=3DContent-Type content=3D"te=
xt/html; charset=3Dkoi8-r"_&lt;&lt;
                  as: &gt;&gt;_MANGLED_ON_PURPOSE_META http-equiv=3DContent=
-Type content=3D"text/html; charset=3Dkoi8-r"_&lt;&lt;
    Rewrote HTML tag: &gt;&gt;_META content=3D"MSHTML 6.00.2600.0" name=3DG=
ENERATOR_&lt;&lt;
                  as: &gt;&gt;_MANGLED_ON_PURPOSE_META content=3D"MSHTML 6.=
00.2600.0" name=3DGENERATOR_&lt;&lt;
    Rewrote HTML tag: &gt;&gt;_STYLE_&lt;&lt;
                  as: &gt;&gt;_MANGLED_ON_PURPOSE_STYLE_&lt;&lt;
    Total modifications so far: 3


</font></pre>
<P>Anomy 0.0.0 : Sanitizer.pm
$Id: Sanitizer.pm,v 1.32 2001/10/11 19:27:15 bre Exp $
<P></TD></TR></TABLE>
</HTML>

------=_NextPart_000_0080_01C1D190.8DAF3450--

--__--__--

Message: 7
Date: Fri, 22 Mar 2002 00:47:26 -0800
From: Guy Harris <gharris@xxxxxxxxx>
To: "Eckert, Christopher" <CEckert@xxxxxxxxxxxxxx>
Cc: "'ethereal-users@xxxxxxxxxxxx'" <ethereal-users@xxxxxxxxxxxx>
Subject: Re: [Ethereal-users] IP disabled capture?

On Thu, Mar 21, 2002 at 01:03:08PM -0500, Eckert, Christopher wrote:
> If I disable IP on the capture interface while Ethereal is loaded it keeps
> the interface identified so that I can select it in the Capture Preferences
> dialog box. This works but I cant say if I am adding unwanted traffic to the
> trace file. If I shut off IP on that interface and then start Ethereal the
> interface is not identified in the Capture preferences dialog. 
> 
> Is there a way to identify and interface that is not running an IP stack?

It probably has nothing to do with identifying the interface.  Even if
you entered the name of the interface by hand, there's a good chance
that it wouldn't allow you to capture on it.

Instead, it probably has everything to do with whether WinPcap
acknowledges the existence of the interface; Ethereal is completely
dependent on WinPcap (and the parts of the OS's networking stack that
the WinPcap driver uses, and its networking interface drivers) for
capturing on Windows, just as it's dependent on libpcap (and the OS's
packet capture mechanism, whatever parts of the networking stack the
packet capture mechanism uses, and the OS's networking interface
drivers) on UNIX, so if WinPcap/libpcap can't capture on an interface,
there's nothing Ethereal can do about it.

The change log for WinPcap:

	http://netgroup-serv.polito.it/winpcap/misc/changelog.htm

says:

	Version 2.3 beta, 20 sept 01

	Upgrade to libpcap 0.6.2 from www.tcpdump.org 
	Support for Windows XP 
	Support for plug & play  under Windows 2000 and Windows XP 
	The packet driver is now NDIS 5 compliant 
	Improved dynamic installation: WinPcap can now work on systems
	    without TCP/IP
	Bug fixing

so if you're using WinPcap 2.2, try un-installing it, and then
installing WinPcap 2.3 beta (as the installation instructions:

	http://netgroup-serv.polito.it/winpcap/install/default.htm

say, you must un-install older versions of WinPcap before installing
newer versions), and see if that helps.

If it doesn't, ask the WinPcap developers:

	winpcap@xxxxxxxxxxxxxxxxxxxxxxx

about it.


--__--__--

Message: 8
Date: Fri, 22 Mar 2002 01:36:43 -0800
From: Guy Harris <gharris@xxxxxxxxx>
To: David Erickson <derickson@xxxxxxx>
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] dropped packets sniffing gig ethernet

On Thu, Mar 21, 2002 at 12:03:40PM -0800, David Erickson wrote:
> Linux is probably not a viable alternative due to the lack of
> timestamp resolution.

If you're running Linux on an x86 box, make sure your kernel is
configured with CONFIG_X86_TSC enabled, so that the time stamp counter
(which the Pentium III has) will be used to provide high-resolution time
stamps.



--__--__--

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users


End of Ethereal-users Digest