Wireshark-users: Re: [Wireshark-users] what I witnessed during live capture isn't what is shown b
From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Thu, 03 Mar 2011 09:15:03 -0500
On 3/3/2011 1:33 AM, Larry Dieterich wrote:
Hi

This is my first post to this list, and I'm also new to Wireshark.

I am using Wireshark version 1.4.2 on Darwin 10.6.0 Mac OS 10.6.6.
Libpcap version 1.1.1 with libz 1.2.5

> ...

I was also running a ring buffer capture of the stream to write the
capture to sequentially numbered 20MB files on the local drive.

Suddenly, the content of the displayed packets changed radically. No
more color tags on the packets, lots of packets reported as
mal-formed. Very little TCP traffic. Lots of protocols labeled
differently from what I had been seeing. Labels including; Ethernet
II, LLC, FC and hundreds with the protocol 0x####, where #### varies,
but I recorded an example - 2c03, so one of the packets reported its
protocol as 0x2c03 Hundreds of others with similar notation, but
different values for ####.

Dozens of different sources and destinations, all apparently MAC
addresses, none of the IP addresses as I had been seeing in the
source and destination columns.

All of a sudden the anomalous packets cleared and wireshark began
reporting the normal traffic I had been seeing.

Then, it did it again, as described above. Hundreds of nonsense
packets, malformed packets rampant. I assumed that I had detected a
hardware malfunction on the network, or an EMF problem or something
highly unusual. (Note that this is what I am looking for, as I
mentioned I have a real problem I'm trying to solve here involving
seemingly random database crashes.)


Here is the mystery; when I look at the captured files, none of the
anomalous noise and mess which I witnessed and noted during the live
capture is recorded in the captured files! The packets look normal.
I actually made notes about some of the packets and I recorded them
by packet number and description, and file name, while the reported
strange behavior was occurring. But when I look at those capture
files, those same packets look totally different from what I saw and
what I noted during the live stream.



FWIW: I very recently had the same thing happen to me (using, I think, a Wireshark built from SVN).

In my case the capture was just a simple capture (no filters, no ring bufffers, etc) done on a Linux VM from the ;

At the time I was focusing on something else so I didn't pay much attention. I'll see if i can duplicate the problem.

Please do file a bug giving the details of the capture setup and so on (even if you've not duplicated the problem).

Thanks