Ethereal-users: Re: [Ethereal-users] filter and counter

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 22 Oct 2003 17:12:26 -0700

On Oct 22, 2003, at 4:50 PM, Suhail Hussain wrote:
Thanks a lot Mr. Harris. I use a simple packet generator to send a controlled number of TCP (IPv4) packets. But the number of packets I send is different from the number of packets captured using Ethereal. I send 5000 packets in a 
burst of 200 packets each time.
When I use the filter and go and see the packet count in "Data in Filtered PAckets" section, it shows 3595..there seems to be a packet loss somewhere.
There is no guarantee that packets won't be dropped by the packet capturing mechanism that Ethereal uses. In *some* OSes, that mechanism can report a count of dropped packets. 

Try using Tethereal or tcpdump/WinDump with the "-w" flag - and:
for tcpdump/WinDump, the "-s" flag with an argument of 65535, if you want to capture the entire packet;
for Tethereal, the "-q" flag, so it doesn't report each packet captured.
Those programs do less work when capturing packets than does Ethereal (they have no GUI, for example).
If you *don't* need the entire packet's data, you can use the "-s" flag to Tethereal or tcpdump to capture only the first N bytes of a packet (or the "Limit each packet to ... bytes" item in the Ethereal GUI for capturing). That further reduces the work done to capture packets.
Also, if you only want to see the packets going from a given source to a given destination, you can use a *capture* filter and not even capture the other packets; on some OSes, that's done in the OS kernel, meaning the data for packets not matching the filter aren't copied to the program, so even less work is done. To capture only IPv4 packets from, for example, 16.66.66.66 to 16.55.55.55, you'd use a capture filter of 

	ip src host 16.66.66.66 and ip dst host 16.55.55.55
That would be used as the last argument to tcpdump/WinDump or Tethereal, and would be used in the "Filter:" box in the capture GUI for Ethereal.
If you only want a packet *count*, you don't need to capture the entire packet - you could just capture the minimum snapshot, which is the default in tcpdump (so don't specify any "-s" flag) and would be specified as "-s 68" in Tethereal (and as 68 in the "Limit each packet to ... bytes" in Ethereal). If you do that, however, you won't be able to see the full TCP payload if the packets are large.
Also, what is the difference between the packet count in the "Data" section and 
the Packet Count in "Data in Filtered Packet Section"
The first is the count of packets in the capture file, the second is the count of packets that have passed the current display filter.