Wireshark-users: Re: [Wireshark-users] Question on wireshark capture in Wi-Fi network

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 10 Feb 2009 18:01:43 -0800

On Feb 10, 2009, at 1:09 PM, Dani Camps wrote:

I am trying to do captures of a traffic RTP/UDP Video flow streamed over a Wi-Fi network using wireshark. Basically I set my wireless card into monitor mode and then I can see all the traffic over the Wi-Fi interface (802.11 signaling) by running wireshark on the interface.

In the attached file you can see the capture. As it can be seen in the trace marked with red arrows the transmitted sequence numbers are not contiguous which means that some frames are lost. Now, my question is whether is there any way that I can get wireshark to tell me if these packets are really lost:

-Is there a way to ask wireshark to report FCS errors on the measured interface ?

If you mean "is there a way to ask Wireshark to get the FCS error statistics from the wireless adapter driver", no, there's currently no way to do that.

I don't *think* the driver will discard packets with a bad FCS, or configure the adapter to do so, when you're in monitor mode, however. Some drivers might, but that's arguably a bug, as if you're in monitor mode you're presumably trying to look for network issues and would *want* to see packets that are, for example, damaged before reception.

-Could I get a reading of the power that was received in the interface during the moments when a packet should have been lost ?

I don't know whether any wireless adapters can supply a power indication except for a received packet; it sounds as if you want to be able to read the current received signal level at a given time, regardless of whether a packet is being received or not, so as to see whether there wasn't sufficient power at your adapter to receive the packet.

-What other things could be happening? Maybe is a failure of wireshark and the packet is actually there ?

It could be a failure of the packet capture path as a whole, yes. That code path involves:

1) the network adapter itself (which, I guess, could be overwhelmed by too much traffic, although I suspect that's not the most likely problem);

2) the buffer pool maintained by the driver (which, if packets aren't consumed fast enough by the driver and possibly the application, could fill up and cause the adapter to discard packets);

3) the buffering in the general capture mechanism (as you say "monitor mode", this is probably Linux, *BSD, or Mac OS X; if it's Linux, it's probably a socket buffer for a PF_PACKET socket, otherwise it's a BPF buffer; in either case, if packets aren't consumed fast enough by the application, that buffer can fill up and cause the capture mechanism to discard packets).

That could be due to Wireshark not picking up packets fast enough, or due to something else running on the machine interfering with Wireshark's ability to read packets and write them to the capture file, or with the driver's being able to respond to interrupts fast enough to pick up packets, etc..

In cases 1) and 2), I don't think any of the OSes mentioned report packets dropped. In case 3), the OS *should* report that; it's not recorded in pcap-format capture files, but it will, at least, show up if you're doing the capture with tcpdump, dumpcap, or Wireshark:

for tcpdump, when you type ^C, it should report "{N} packets dropped by kernel";

	for dumpcap, when you type ^C, it should report "Packets dropped: {N}";

for Wireshark, in the status bar at the bottom, the second section of the status bar should include "Dropped: {N}".

(TShark didn't appear to print any count; unless it omits the count when it's 0, I'd call that a bug. I'll look into that.)

That number should reflect the number of packets dropped by BPF in *BSD and Mac OS X. Whether it'll reflect that in Linux depends on whether you have a recent enough kernel and a recent enough libpcap; you *probably* do.