Having said that, here are some of the things that I have seen cause duplicate/missing acks. My bet is that you have some very long running tcp sessions and when you start your capture you are simply missing some parts of the tcp session due to that. BUT be careful because if your captures get very large then you can cause your machine to start swapping. If you are having a disk IO issue then you can do something like write to memory /dev/shm. If you use tcpdump you need to pass in the "-n" switch. By default tshark disables dns lookup, tcpdump does not. At the end of your capture it will tell you if the "kernel dropped packet" and how many. It is possible that tshark can not keep up with the data and so it is dropping some metrics. If you are really missing acks then it is time to start looking upstream from your host for where they are disappearing. In those cases it does not have that information. Like the warning message says, it is common for a capture to start in the middle of a tcp session. pcap (gzip compressed)įile timestamp precision: microseconds (6) Default output $capinfos wireless_080224_įile type: Wireshark/tcpdump/. (See the help for details).Ĭapinfos does no dissection and so will be much faster than tshark. However, Wireshark provides a program, capinfos, which reads a capture file to obtain information about the capture file such start-time, end-time, number-of-packets, etc.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |