Wireshark-dev: Re: [Wireshark-dev] jumping tcp packets
From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Thu, 3 Apr 2008 19:53:19 +1100
You would only be able to see the packets that you are fast enough to
capture, process and write to disk.
In particular for high speed networks it is an unfortunate
fact-of-life that you wont be able to capture packets and write them
to disk at the same speed as the packets arrive at the nic  and thus
you get missed packets unless you have a high-end disk subsystem.

What is the line speed and throughput you are looking at?


On Thu, Apr 3, 2008 at 7:35 PM, Maria de Fatima Requena
<MariaF.Requena@xxxxxx> wrote:
> Hi
>
>  I am implementing a skinny sniffer using winpcap and I am experimenting problems while parsing packets. Some of them are just missed to my application. I am using wireshark to see what is really happening, and I cant understand it
>
>  This is part of my code (callback function called by winpcap):
>
>
>  void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
>  {
>         ip_header *ih=NULL;
>         udp_header *uh=NULL;
>         tcp_header *th=NULL;
>         u_int ip_len;
>         u_short tcp_len;
>         char* sipP,*sipBody;
>         char* skinnyP;
>         std::string payload;
>     int longSIP;
>         map<string,callId_st*>::iterator it;
>
>         Logger* mainLog=0;
>
>
>         /* retireve the position of the ip header */
>         ih = (ip_header *) (pkt_data +
>                 14); //length of ethernet header
>
>         /* retrieve the position of the udp header */
>         ip_len = (ih->ver_ihl & 0xf) * 4;
>
>         mainLog=Logger::GetLogger("main");
>
>         if (ih->proto==0x06)//tcp == 0x06
>         {
>                 th = (tcp_header *) ((u_char*)ih + ip_len);
>
>                 u_short sport=ntohs(th->sdPorts.sport);
>                 u_short dport=ntohs(th->sdPorts.dport);
>
>                 if (sport==2000||dport==2000)//0x7d0=2000
>                 {
>  ...
>
>  This function is run inside a thread as:
>
>  pcap_loop((pcap_t *)handle,0, packet_handler, NULL);
>
>  With this instruction: if (ih->proto==0x06)//tcp == 0x06 I would be able to see every TCP incoming packet anyway, many packets wireshark is able to capture, are left for me. Can anyone have an idea of what is happening?
>
>  Thanks in advance
>
>
>
>
>  María de Fátima Requena Cabot (2488)
>  +34 91 787 23 00 alhambra-eidos.es
>
>
>  _______________________________________________
>  Wireshark-dev mailing list
>  Wireshark-dev@xxxxxxxxxxxxx
>  http://www.wireshark.org/mailman/listinfo/wireshark-dev
>