On Thu, Nov 14, 2002 at 04:09:19PM -0200, Rodrigo Buarque Ramos wrote:
> Last night I left my machine running ethereal to study a network's
> behavior. When I started ethereal I saw some TCP packets on a little
> window,
"Saw some TCP packets on a little window" meaning that the Ethereal
window with the "Stop" button showed a non-zero value in the "TCP" line,
showing that it had seen that many TCP packets? I shall assume so
(otherwise, that window isn't an indication that *Ethereal* saw the TCP
packets).
> but when I stopped it to study the logs I saw no TCP packets.
"Saw no TCP packets" meaning "looked at every packet in the capture, in
detail - i.e., selected the packet and looked at the detailed view in
the middle pane - and none of them had a TCP header in them" or "used
the display filter 'tcp' to look for TCP packets and it found none", or
"Saw no TCP packets" as in "no packet had 'TCP' in the protocol column"?
If the former, I have no idea how that could have happened, unless you
ran out of disk space on the file system to which the capture file was
being written - but Ethereal should see that and report it.
If the latter, note that only TCP packets for a protocol that Ethereal
*doesn't* dissect will have "TCP" in the protocol column.