["Munshi, Shahid K. (Manpower Contract)" <shahid.k.munshi@xxxxxx>]

For windump -ne -s100 command:


The Output Screen look like this:

11:27:06.397471 arp who-has vint-oae41.boi.hp.com tell 41dhcp484.boi.hp.com
11:27:06.409039 arp who-has vint-oae41.boi.hp.com tell 41dhcp484.boi.hp.com
11:27:06.410322 arp who-has vint-oae41.boi.hp.com tell 41dhcp484.boi.hp.com
11:27:06.410362 arp who-has vint-oae41.boi.hp.com tell 41dhcp484.boi.hp.com
11:27:06.410612 arp who-has vint-oae41.boi.hp.com tell 41dhcp484.boi.hp.com
11:27:06.412337 802.1d config 8000.00:10:83:ad:16:00.801e root 0064.00:10:83:15:12:80 pathcost 1 age 1 max 20 hello 2 fdelay 15 
11:27:06.535982 arp who-has hpdmlad.boi.hp.com tell boigw41.boi.hp.com
11:27:06.604106 IP 41dhcp315.boi.hp.com.137 > 15.237.27.255.137: udp 50
11:27:07.063594 IP 41dhcp150.boi.hp.com.138 > 15.237.27.255.138: udp 243
11:27:07.220532 IP 41dhcp540.boi.hp.com.3398 > forwarders.americas.hp.net.53:  790+ PTR? 1.24.237.15.in-addr.arpa. (42)
11:27:07.222299 IP forwarders.americas.hp.net.53 > 41dhcp540.boi.hp.com.3398:  790* 1/11/11 PTR[|domain] (DF)
11:27:07.225068 IP 41dhcp540.boi.hp.com.3399 > forwarders.americas.hp.net.53:  791+ PTR? 238.25.237.15.in-addr.arpa. (44)
11:27:07.226641 IP forwarders.americas.hp.net.53 > 41dhcp540.boi.hp.com.3399:  791* 1/11/11 (496) (DF)
11:27:07.231111 arp who-has vint-oae41.boi.hp.com tell 41dhcp395.boi.hp.com
11:27:07.257379 IP 41dhcp540.boi.hp.com.3400 > forwarders.americas.hp.net.53:  792+ PTR? 74.88.39.15.in-addr.arpa. (42)
11:27:07.259366 IP forwarders.americas.hp.net.53 > 41dhcp540.boi.hp.com.3400:  792* 1/9/9 PTR[|domain] (DF)
11:27:07.261290 IP 41dhcp540.boi.hp.com.3401 > forwarders.americas.hp.net.53:  793+ PTR? 3.88.39.15.in-addr.arpa. (41)
11:27:07.263030 IP forwarders.americas.hp.net.53 > 41dhcp540.boi.hp.com.3401:  793* 1/9/9 PTR[|domain] (DF)
11:27:07.264875 IP 41dhcp540.boi.hp.com.3402 > forwarders.americas.hp.net.53:  794+ PTR? 69.25.237.15.in-addr.arpa. (43)
11:27:07.266495 IP forwarders.americas.hp.net.53 > 41dhcp540.boi.hp.com.3402:  794* 1/11/11 (495) (DF)
11:27:07.268787 IP 41dhcp540.boi.hp.com.3403 > forwarders.americas.hp.net.53:  795+ PTR? 160.24.237.15.in-addr.arpa. (44)
11:27:07.270222 IP forwarders.americas.hp.net.53 > 41dhcp540.boi.hp.com.3403:  795* 1/11/11 (496) (DF)
11:27:07.287239 arp who-has 15.39.92.205 tell boigw41.boi.hp.com
11:27:07.307761 




This is after pressing CTRL + C:

windump: listening on \Device\NPF_{D199E170-8B88-4975-8175-75CB2795CE85}

147 packets received by filter
0 packets dropped by kernel

why are these numbers different?

Shahid

-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx]
Sent: Tuesday, September 16, 2003 11:35 AM
To: Munshi, Shahid K. (Manpower Contract)
Cc: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] WinDump Output


On Tue, Sep 16, 2003 at 12:27:42PM -0500, Munshi, Shahid K. (Manpower Contract) wrote:
> It says:
> 1410 packets received by filter

Which probably means that the WinPcap driver saw 1410 packets.  If they
weren't UDP packets, it would have filtered them out when capturing with
"udp" as a capture filter, so they wouldn't be printed.

> But, If I type command:
> 
> windump -ne -s100
> 
> This is without any protocol filter.
> 
> It prints out in output windows different number of packets than It
> reports after pressing CTRL + C. 

What are the two numbers?

Note that the number printed as "received by filter", if it comes from
the WinPcap driver (as I think it does), can include packets that have
not yet been read by WinDump - and, as you've terminated WinDump by
typing control-C, those packets never will be read by WinDump.