Wireshark-users: Re: [Wireshark-users] Help! errors in CAPTURED UDP stream that I know is perfect

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 09 Nov 2011 11:42:17 +0100
Hi Roni,

There are a few notes to be made.

1. You run a custom modified build of a development vesion of Wireshark.
   This means that:
a. We do not know what the modifications are, what their influence is.
   b. A development version of Wireshark is always prone to bugs.

2. You run an old version of Wireshark. The 1.3 development release is a
   precursor for the 1.4 stable release branch. While in the mean time
   a 1.6 stable release branch has already been created. it could very
   well be that the MPEG dissector has been improved in the mean time.
   You may want to look at your captures with a new (1.6.3) Wireshark
   release.

3. Since you attempt high bandwidth capture on an interface you may be
   better off using dumpcap, the command line capture dump engine. It
   is more efficient.

4. Make sure to check for reports of dropped frames during capture, which
   is indicative of your hardware not keeping up with the influx.

Thanks,
Jaap



On Tue, 8 Nov 2011 01:08:57 -0500, Roni Peleg wrote:

Hi Wiresharkers,

I'm a newbie so please pardon me if I describe my problem clumsily.

Attached is a picture of the way I capture a file.

I do the next:

1. I inject a perfectly clean MPEG stream over UDP into a PC with
Ethernet 1Gigabit interface network card.

(I know it's clean for sure, and anyway I also checked by some reliable testing tools such as StreamXpert running on the same PC, connected to
the same interface port)

2. I close all windows, no program is running on the PC. The UDP stream
continues flowing in all the time.

3. I open Wireshark, set a capture-file and start recording (I tried
with and without filtering only the relevant IP).

4. From the resulting capture-file I'm striping the MPEG stream out of
the UDP encapsulation. (did this a hundred times, it's 100% reliable)

5. in the resulting MPEG stream I get "Continuity-Counter Errors" which
means packets were lost or mixed with another stream.

6. Actually, instead of steps 4-5 I later on simply ran Wireshark's
MPEG-TS-checker and indeed the Wireshark itself reported the same CC
Errors!

Have you ever encountered such a problem?

Could it be that Wireshark is too weak to record a ~50Mbps stream into a
capture file?

What should I do??

Thanks in advance,

Roni