This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

is wireshark reliable

0

I have written a code in a device that sends ARP request to get the MAC address of PC and then communicates with it through UDP.

I have an application that makes this happen in a loop.(open the port; ARP request + UDP data packets(few packets); then close the port). the loop is mainly to know the reliability of the device to communicate.

My problem is, I am supposed to get an ARP request continuously. but it is not happening all times..

I want to know is it possible that Wireshark could have missed to show us these packets, even if the device has sent.. because I am pretty sure that the device goes to the state where it sends ARP request.

thanks in advance

asked 24 Sep '13, 02:24

Raja%20Balaji's gravatar image

Raja Balaji
1446
accept rate: 0%


2 Answers:

1

If the packets were captured Wireshark will show them, unless you have a filter applied that hides them. If you are missing a couple of packets then maybe they just weren't recorded in the first place. If you're capturing on a SPAN port for example it is possible that the monitor port is oversubscribed and drops a couple of frames every once in a while. If you need to be absolutely sure that the packet was there you'll need to capture using a full duplex tap - which is a more complex setup.

answered 24 Sep '13, 03:05

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

My problem is, I am supposed to get an ARP request continuously. but it is not happening all times..

I want to know is it possible that Wireshark could have missed to show us these packets, even if the device has sent.. because I am pretty sure that the device goes to the state where it sends ARP request.

it may be possible that there is a bug in Wireshark or any other problem that prevents it to see the packets (i.e. wrong checksum --> system driver drops the packet).

However, and please don't get me wrong (really no offense!!): If I look at the history of your questions and network problems, I don't think the problem is with Wireshark, but rather with your LabView application or the code on the arduino controller (see your other questions).

My problem is, I am supposed to get an ARP request continuously. but it is not happening all times..

Maybe the LabView code interacts with the OS IP stack in a way you don't know and that prevents the ARP request from being sent (at least sometimes). Same, if you send the ARP request from the arduino controller.

So, do you see the OS interface counters go up if you send the ARP requests? That would be a first hint if the ARP packet was dropped by the OS.

++UPDATE++
To answer your question:

is wireshark reliable

In general yes. In your special case, I'm pretty sure it's not a problem with Wireshark, as it show most of the ARP requests. Only a few are missing. The chances that this is a bug in Wireshark are pretty low, so I tend to say, it must be related with your software (most likely), the OS or the network itself.

Regards
Kurt

answered 24 Sep '13, 06:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Sep '13, 02:28