Tshark dropped packets on MacOS Catalina

asked 2021-05-23 19:44:06 +0000

packetlevel gravatar image

updated 2021-05-24 13:28:41 +0000

grahamb gravatar image

Testing Tshark results in some n of packets being dropped. WS is working fine. Not sure best way to go about investigating this - perhaps a problem with this MacOS? e.g.

tshark -a filesize:2 -w testshark3.pcap
Capturing on 'Wi-Fi: en0'
14 
2 packets dropped from Wi-Fi: en0

tshark -a filesize:2 -w testshark4.pcap
Capturing on 'Wi-Fi: en0'
8 
12 packets dropped from Wi-Fi: en0

tshark -a filesize:2 -w testshark5.pcap
Capturing on 'Wi-Fi: en0'
10 

tshark -a filesize:10 -w testshark6.pcap
Capturing on 'Wi-Fi: en0'
41 
5 packets dropped from Wi-Fi: en0

tshark -v
TShark (Wireshark) 3.4.5 (v3.4.5-0-g7db1feb42ce9)

Version info:

Copyright 1998-2021 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.58.3,
with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with
GnuTLS 3.6.15 and PKCS #11 support, with Gcrypt 1.8.7, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.9.

Running on Mac OS X 10.15.6, build 19G2021 (Darwin 19.6.0), with Intel(R)
Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2), with 16384 MB of physical
memory, with locale en_US.UTF-8, with libpcap version 1.9.1, with GnuTLS 3.6.15,
with Gcrypt 1.8.7, with brotli 1.0.9, with zlib 1.2.11, binary plugins supported
(0 loaded).

Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)

MacBook Pro (Retina, 15-inch, Mid 2015) MacOS 10.15.16

edit retag flag offensive close merge delete

Comments

Can you re-run the tests using dumpcap instead of tshark? dumpcap should provide a few more details

You should see some information such as follows (at least this is what I see using dumpcap on Windows):

Packets received/dropped on interface 'foo': 1074/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (100.0%)
cmaynard gravatar imagecmaynard ( 2021-05-24 15:06:37 +0000 )edit

Thank you - Although WS continues to appear to drop no packets on similar input, I ran some dumpcap and also got YMMV output:

Mon May 24 17:09:41 on ttys000

dumpcap -c 25 -w dumptest1 
Capturing on 'Wi-Fi: en0'
File: dumptest1
Packets captured: 25
Packets received/dropped on interface 'Wi-Fi: en0': 25/9 (pcap:0/dumpcap:0/flushed:9/ps_ifdrop:0) (73.5%)

dumpcap -c 25 -w dumptest2
Capturing on 'Wi-Fi: en0'
File: dumptest2
Packets captured: 25
Packets received/dropped on interface 'Wi-Fi: en0': 25/1 (pcap:0/dumpcap:0/flushed:1/ps_ifdrop:0) (96.2%)

dumpcap -c 25 -w dumptest3
Capturing on 'Wi-Fi: en0'
File: dumptest3
Packets captured: 25
Packets received/dropped on interface 'Wi-Fi: en0': 25/1 (pcap:0/dumpcap:0/flushed:1/ps_ifdrop:0) (96.2%)

dumpcap -c 25 -w dumptest4
Capturing on 'Wi-Fi: en0'
File: dumptest4
Packets captured: 25
Packets received/dropped on interface 'Wi-Fi ...
(more)
packetlevel gravatar imagepacketlevel ( 2021-05-26 16:31:00 +0000 )edit

And does each capture file contain exactly 25 packets? If not, then it would seem the flushing isn't being performed correctly. After all, if you limit dumpcap to capturing 25 packets, you expect 25 packets to be in the capture file when capturing is completed. Of course if there are 25 packets in each capture file, then there were additional packets beyond the 25 that were flushed (thrown away), which is fine.

So according to the information you provided above, namely "Tshark results in some n of packets being dropped. WS is working fine.", if Wireshark does not report any dropped packets (via Statistics -> Capture File Properties, I presume) yet tshark does, then without diving deeper into the code, my guess is that tshark is including the flushed packets with the dropped packets statistics but Wireshark isn't. I think it would be better if all the tools ...(more)

cmaynard gravatar imagecmaynard ( 2021-05-26 20:39:16 +0000 )edit

Thanks - That would be a possible cause - Tshark and dumpcap adding flushed packets to the dropped packets report number. I tend to suspicious of Apple updates, based on experience.

packetlevel gravatar imagepacketlevel ( 2021-05-28 17:20:25 +0000 )edit