[Guy Harris <guy@xxxxxxxxxxxx>]

On Nov 16, 2003, at 6:59 PM, Ching Tung Lo wrote:

>    But the command "tethereal -l -V port 53 " didn't show all detailed
> decoded packets on screen.
>    It dropped some packets.
>    If I redirect the tethereal output to a file  "tethereal -l -V port 
> 53 >
> file ",dropped-packets condition will improve.

Writing to a file is probably faster than writing them to the screen.

Writing to a file without "-l" is probably faster than writing them 
with "-l".

(Note also that writing with "-l" shouldn't be necessary if you're not 
writing to the screen or to a pipe.)

>    If I use window-mode ethereal , no packets be dropped.

If you use window-mode Ethereal with an "Update list of packets in real 
time" capture, I suspect it'll drop a lot of packets.

However, if you don't, when Ethereal is capturing, it's *not* 
dissecting the packets, it's just writing them to a file; if it doesn't 
drop packets when you do that, it's probably dissecting packets when 
you're capturing them that's causing the problem with Tethereal.

Try doing

	tethereal -w file port 53

and then, after your capture is done, read "file" with Tethereal (or 
Ethereal, or tcpdump).

>    Do you mean that if I recompile the linux kernel to turn on socket
> filtering and network packet filtering,
>    "tethereal -V " will not drop any packets?

I can't guarantee that it won't drop any packets.  However, I suspect 
it will drop fewer packets - perhaps none, perhaps not.