Ethereal-users: Re: [Ethereal-users] traffic analysis, help please

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Fri, 24 Dec 2004 11:03:47 -0800
Brian Davidson wrote:
Okay, I see that a TCP Packet was lost, but I guess I want a fuller definition of the word "lost". Yes, the packet might actually not be there. Beyond that, how likely is it that the traffic was so heavy on the line that Ethereal did not have resources to capture and save it? I need to know if "TCP Previous Segment Lost" means absolutely that it was missing, rather than "slipped past while Ethereal was busy". Is there some other indicater in the capture file that traffic volume got high enough to affect the ability to record?
Unfortunately, there isn't. The "next-generation" version of the libpcap format that's our native capture file format will
1) have the ability to put into the capture file a "statistics" record indicating how many packets were reported by the host OS software Ethereal uses to capture as having been received but discarded because the buffer for captured packets was full (note that some host OS software might not provide this) 

and
2) have the ability to record, for each packet, the number of packets discarded for that reason since the previous packet *if* the host OS makes that available (which, again, it might not be).
Even from that you can't know whether a lost segment was one of the packets discarded by the host OS software. If you're capturing traffic that is being sent to the machine doing the capture, note that a TCP segment packet might be be processed by the host TCP stack, and the data in the segment supplied to whatever application is reading from the TCP connection, *and* discarded by the capture code, because the capture code might be capturing *all* packets and the buffer used by *it* might not be large enough, or the program doing the capturing might not be emptying it fast enough.
On OSes where the information for (1) is available, if you capture with Ethereal, when the capture finishes it should report the total number of packets discarded ("Drops") in the left-hand box in the status bar at the bottom of the display. That's not stored in the capture file, however.