Wireshark-users: Re: [Wireshark-users] Capturing 802.11 RSSI and TX Rate Values Using Ubuntu Linu

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 14 Jan 2009 21:24:02 -0800

On Jan 14, 2009, at 9:04 PM, Tal Rusak wrote:


    In Wireshark, while my host was loading several webpages with many
graphics, etc. I am only seeing about 200 TCP and 200 UPD packets, 3
ARPS, the rest "others".


200+200+3 > 0, so


However, now I am only picking
up packets of type "Other" when sniffing on mon0.


and


    "Other" are just 802.11 beacons for the most part--none of the
colored packets, UDP, TCP, ect. are showing up anymore.
appears to be misstatements of the problem - you're *not* only picking up packets of type "Other", you're picking up *mostly* packets of type "Other" but are *still* seeing UDP and TCP and... packets. 


I think there should be more.
Perhaps the problem is that there are too many packets being received and libpcap+dumpcap can't read them fast enough and some are getting dropped. If most of them are beacons and control packets, losing a given percentage of all packets might still leave plenty of beacons and control packets but leave fewer data packets (and, in addition, it might be harder to tell by looking at a capture whether you've lost beacons or control packets).
In tcpdump, it is harder to tell, but there are very few data packets 

Again, "very few" > "none".

You might try downloading libpcap 1.0.0 from

	http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz

and tcpdump 4.0.0 from

	http://www.tcpdump.org/release/tcpdump-4.0.0.tar.gz
Unpack them both in the same parent directory, configure and build libpcap, configure and build tcpdump, make sure that when you run "tcpdump -h" it reports 

	tcpdump version 4.0.0
	libpcap version 1.0.0

and then try doing

	tcpdump -i mon0 -s 0 -w /tmp/capture.pcap
while the other host is loading the Web pages. Then see whether, after you type ^C to stop tcpdump, whether it reports any packets "dropped by kernel", and read /tmp/capture.pcap with Wireshark. libpcap 1.0.0 can do memory-mapped captures on Linux, which might reduce the number of packet drops (by allocating a bigger buffer than the default socket buffer, and by avoiding some packet capturing and *perhaps* allowing multiple packets to be read per wakeup), and it might also do a better job of getting capture statistics - including packet drop counts.