On Sun, Nov 09, 2003 at 11:51:53AM -0800, Guy Harris wrote:
> On Sun, Nov 09, 2003 at 10:17:08AM +0800, Ching Tung Lo wrote:
> > To my surprise, I pressed Ctrl+C ,it showed that 862 packets dropped .
> >
> > But when I use the command "tethereal -l -V port 53>test",there are no
> > packets be dropped in the file of "test".
>
> Because libpcap format, which is what Ethereal and Tethereal, as well as
> tcpdump, use, do not have any way to record in the file the number of
> packets that have been dropped.
>
> Ethereal should, instead of saying no packets were dropped when it reads
> from a file, say that it doesn't know how many packets were dropped.
Sorry, I misread your message. Ethereal *does*, in effect, say it
doesn't know how many packets were dropped if it's read a capture file,
by not reporting a drop count.
The answer to the question is that Tethereal doesn't print out a
packets-dropped count when it finishes.
tcpdump does - but it reports them to the standard *error*, not the
standard *output*.
Both of those have the benefit that if you pipe the output of tcpdump or
Tethereal to another program or script, that program or script doesn't
have to worry about packet drop counts, just tcpdump or Tethereal
output.
However, the disadvantage is that if you want the packet drop count in a
file along with the decoded packets, with the tcpdump scheme you'd have
to redirect the standard error to the file as well - which would mean
that real errors would show up there as well.
I'm not sure what the correct answer would be, other than "let the user
request whether to send the packet drop counts to the standard output or
standard error", or *maybe*, *if* possible - which it is on UNIX, but
which it might not be on Windows - send them to the standard output if
it's a file and to the standard error if the standard output is a pipe.
The latter, however, probably wouldn't be what you want if you're piping
to "tee".