On Fri, Feb 21, 2003 at 11:26:26AM -0800, Mark Holloway wrote:
> I'm using a Dell P4 with an integrated 3Com 3C920 NIC. I was copying
> 1.6GB of data from my desktop to another machine and was using tethereal
> to capture to a file (no screen output). After it was done I received
> stats on how many frames were captured and how many were dropped. Does
> this mean frames that tethereal couldn't capture, yet still traversed
> the network?
It means frames that libpcap/WinPcap reported as being dropped. Those
typically mean frames that were captured by the NIC but that weren't
saved by WinPcap because its internal buffer was full, due to Tethereal
not emptying the buffer fast enough.
This could be due to Tethereal being slow, or it could be due to the
traffic just coming in too fast for the machine to keep up. Try running
WinDump, with "-s 65535" and with the same capture filter (if any), and
with the "-w" flag to capture to a file.
If it *also* reports dropped packets, the packets are probably coming in
too fast for a WinPcap-based program writing packets out to a file in
the fashion that both of them do to keep up. A capture filter might
help, because some packets get discarded before being stuck into the
buffer, but that also means you see fewer packets. A smaller "snapshot
length" might help, because fewer bytes of packet data are copied to the
buffer and copied to the application, but that also means you don't see
all of the packet.