Wireshark-users: Re: [Wireshark-users] Low Level Ethernet Debugging

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 25 Jul 2007 11:27:05 -0700
Benatar, Naisan wrote:

I'm looking for a way of looking at Lowlever ethernet errors and ideally
thier contents.

As indicated, getting the contents of the frames is difficult - in many OSes (not just Windows), the adapter or driver will throw away packets with low-level errors, so they aren't supplied to the mechanism libpcap uses to capture packets, and hence tcpdump/WinDump/Wireshark/etc. don't see them.

When I check the Statistics->Summary page in the details of the device it
has "Dropped packets" with the value Unknown.  It would be very useful if
this actually gave the number of packets the hardware was throwing away

Actually, no, it wouldn't. That statistic is intended to show the number of packets dropped because Wireshark wasn't reading packets fast enough to keep up with the capture stream; that's a useful statistic in its own right, and should be preserved. (I'm not sure why it's shown as "Unknown" in that case, if you did a live capture with Wireshark.)

Statistics such as the numbers of various types of link-layer errors errors should be *separate* statistics. I think NDIS supports getting those statistics, if the driver provides them, so there could be platform-specific code in Wireshark to fetch them (ideally, that should be done in libpcap/WinPcap; perhaps in a future release).

Note that the statistics won't necessarily exactly correspond to the time when you're doing the capture, as the mechanism for getting those statistics knows nothing about any packet captures in progress.