On Feb 9, 2004, at 5:15 AM, Qili, Zhou wrote:
I am new to the mailing list and don't know if it is fittng for me to
propose a question here:
It's appropriate to ask questions, although this question isn't really
an Ethereal question, it's a question about libpcap, and so really
should be asked in the tcpdump-workers@xxxxxxxxxxx mailing list; see
http://www.tcpdump.org
I checked quite a few items in Ethereal mailing list, but have not
found how to know if any packets dropped (or how many packets dropped)
in ETHEREAL or its offline (sniffed) files.
Unfortunately, libpcap-format capture files (that's the format that
tcpdump and Ethereal, for example, use for their capture files) don't
have any place where the count of dropped packets is stored.
I do not remember where the following definitions come from.
They come from a header file internal to libpcap, giving the internals
of the "pcap_t" data structure a pointer to which is returned by
libpcap.
Could anybody instruct me how to use the following information to
get "TotDrops" (for example, in C/C++)?
The only way to get the TotDrops value - which, by the way, is
maintained in the pcap_t data structure *ONLY* on Digital UNIX - is by
calling "pcap_stats()" on a "pcap_t" obtained by a "pcap_open_live()"
call. (On platforms other than Digital UNIX, "pcap_stats()" works, but
does so by other mechanisms, which is why TotDrops isn't used on those
other platforms.)
Note, however, that
1) there is no guarantee that it'll give you a non-zero value for the
count of packet drops as, on some platforms, the number of packets
dropped during a capture simply isn't available from the OS;
2) it won't ever give you a meaningful value when reading a saved
capture file, i.e. if the "pcap_t" pointer came from
"pcap_open_offline()".