This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

discrepancy between linux capture and windows capture

0

Wireshark 1.10.2 (64 bit) on Windows 7, Wireshark 1.10 on Ubuntu 13.04 (compiled from source)

I have been troubleshooting a network that contains several Windows Embedded Std 7 POS systems and a back office PC that runs Win 7 Pro. When I first looked at the network I was amazed at the volume of errors (dup ack, retrans, tcp out of order). My initial look was with the back office PC on a hub with a laptop running Win 7 Pro and wireshark. Wondering if I had an interface issue, I put a netoptics tap on the back office PC connection. My windows laptop only has one wired ethernet interface so I put a Ubuntu Linux box with two wired interfaces and when I captured with it the errors magically 'disappeared'. I then bought a USB -> wired ethernet dongle for my laptop and ran wireshark on both interfaces (still on the tap) and the errors show again. I have never seen this situation before and don't know where to turn next - I can't trust any captures done on my Windows 7 laptop now and can't take my Linux desktop PC with me on the road!

Why would Wireshark on windows be showing that the network has errors (thousands of them per minute) but on Linux it is clean?

If I run a tcpdump (or dumpcap) capture on the Linux box then copy the file to the Windows machine, it does not have the errors showing.

I wonder if this is a winpcap issue or a wireshark issue?

asked 24 Oct '13, 10:33

PhilN's gravatar image

PhilN
1112
accept rate: 0%

edited 24 Oct '13, 10:38

Maybe pertinent as well.... I used an Ubuntu Live CD in the laptop that normally runs Windows and captured via tcpdump (using built in interface and USB->ethernet dongle) and came up with a clean capture that way as well. I then used windump and captured two separate files (one from each interface) and merged them. That was even worse.

This is definitely a difference between windows and linux and how they capture but I can't fathom how there can be such a difference.

(24 Oct '13, 10:37) PhilN

From your description, I don't fully understand when the error occurs. Can you please describe your test cases and the results as detailed as possible?

(28 Oct '13, 08:51) Kurt Knochner ♦