Wireshark-users: Re: [Wireshark-users] Packets not captured, tcp acking lost segments. Large pack

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sat, 8 Jan 2011 12:14:16 +0100
On 8 jan 2011, at 11:40, Michael Lynch wrote:

> God I hope IPv6 is simpler!!

In some ways it is, but in most ways it isn't, you're in for a treat :-)

> Laura mentions that her Wireshark did pick up these LSO packets in the trace, so I guess I was just unlucky.
> As Graham suggested, I will give a try the "Edit | Preferences | Expand Protocols and find IP | Check "Support packet-capture from IP TSO-enabled hardware".
> I'll let you know if that options resolves the incomplete capture trace.

It won't, the protocol options only have effect on the way Wireshark interprets and displays the captured data not on which packets will be captured.

If the large frames were not captured, they were not captured. It is however interesting to see that netmon on the same machine was able to capture them, while wireshark wasn't. This can be caused by the fact that they both use a different way of getting the packets of the networking stack. Since Wireshark uses WinPcap on windows systems, that's where this could be solved. You might want to address this at the WinPcap mailinglist to improve the WinPcap library to be able to capture large frames in your particular setup (which must also be used by other people).

Cheers,


Sake