Tshark dropped packets on MacOS Catalina
Testing Tshark results in some n of packets being dropped. WS is working fine. Not sure best way to go about investigating this - perhaps a problem with this MacOS? e.g.
tshark -a filesize:2 -w testshark3.pcap
Capturing on 'Wi-Fi: en0'
14
2 packets dropped from Wi-Fi: en0
tshark -a filesize:2 -w testshark4.pcap
Capturing on 'Wi-Fi: en0'
8
12 packets dropped from Wi-Fi: en0
tshark -a filesize:2 -w testshark5.pcap
Capturing on 'Wi-Fi: en0'
10
tshark -a filesize:10 -w testshark6.pcap
Capturing on 'Wi-Fi: en0'
41
5 packets dropped from Wi-Fi: en0
tshark -v
TShark (Wireshark) 3.4.5 (v3.4.5-0-g7db1feb42ce9)
Version info:
Copyright 1998-2021 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, without POSIX capabilities, with GLib 2.58.3,
with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4, with
GnuTLS 3.6.15 and PKCS #11 support, with Gcrypt 1.8.7, with MIT Kerberos, with
MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.9.
Running on Mac OS X 10.15.6, build 19G2021 (Darwin 19.6.0), with Intel(R)
Core(TM) i7-4980HQ CPU @ 2.80GHz (with SSE4.2), with 16384 MB of physical
memory, with locale en_US.UTF-8, with libpcap version 1.9.1, with GnuTLS 3.6.15,
with Gcrypt 1.8.7, with brotli 1.0.9, with zlib 1.2.11, binary plugins supported
(0 loaded).
Built using clang 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)
MacBook Pro (Retina, 15-inch, Mid 2015) MacOS 10.15.16
Can you re-run the tests using
dumpcapinstead oftshark?dumpcapshould provide a few more detailsYou should see some information such as follows (at least this is what I see using
dumpcapon Windows):Thank you - Although WS continues to appear to drop no packets on similar input, I ran some
(more)dumpcapand also got YMMV output:And does each capture file contain exactly 25 packets? If not, then it would seem the flushing isn't being performed correctly. After all, if you limit
dumpcapto capturing 25 packets, you expect 25 packets to be in the capture file when capturing is completed. Of course if there are 25 packets in each capture file, then there were additional packets beyond the 25 that were flushed (thrown away), which is fine.So according to the information you provided above, namely "Tshark results in some n of packets being dropped. WS is working fine.", if Wireshark does not report any dropped packets (via Statistics -> Capture File Properties, I presume) yet
tsharkdoes, then without diving deeper into the code, my guess is thattsharkis including the flushed packets with the dropped packets statistics but Wireshark isn't. I think it would be better if all the tools ...(more)Thanks - That would be a possible cause - Tshark and dumpcap adding flushed packets to the dropped packets report number. I tend to suspicious of Apple updates, based on experience.