This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet missing issue at peak of network flow in dumpcap.

0

Hi all,

I have used dumpcap.exe for dumping the VOIP traffic to the disc. And it is showing packet dropped on network as 0 when it stops. But with testing a sip call there i found some packets missed in the dumped files in Wireshark.

The dumpcap command used is below, and the ethernet card speed is 1Gbps.

dumpcap.exe -a files:1000000000 -b filesize:3024 -i 1 -B 10240  -P -s 0 -w e:\Packets\h -f "(host xx.xx.xx.xx) && (tcp||udp)"

Can someone please help me on this.

asked 25 Dec '13, 21:04

Binu%20Babu's gravatar image

Binu Babu
26243
accept rate: 33%

edited 25 Dec '13, 21:49

But with testing a sip call there i found some packets missed in the dumped files in Wireshark.

how do you know that there are some packets missing? Do you have a second capture file (taken at a different location) to compare with?

(27 Dec '13, 04:21) Kurt Knochner ♦

@Kurt Knochner yes i have Palladion call monitor interface to compare. There i could find the missed packet with same sip CallID.

(27 Dec '13, 05:04) Binu Babu

O.K. there are several things to consider

  • there are really lost frames. As dumpcap does not show them, they must have been lost before dumpcap received the traffic (see answer of @Jasper). Then you need to figure out where the frames got lost. As you did not say where you have taken the capture file, I would suggest to capture at a different location (switch span port) to compare the results. Your capture filter should have reduced the amount of traffic well enough to not overload dumpcap. However I don't know the amount of SIP traffic in your network
  • Palladion call monitor is showing the wrong things (SIP calls) or the right things for the wrong time period (wrong time setting somewhere) and thus you believe there should be SIP traffic in the capture file during a certain time interval, whereas there is nothing and Wireshark is right.
(27 Dec '13, 05:50) Kurt Knochner ♦

One Answer:

0

Packet drop can occur before dumpcap even sees the packet. Depending on your capture setup you may have drops on a SPAN port, NIC driver level, OS level and maybe a couple of other places. So if dumpcap says it has zero dropped frames it only means that dumpcap didn't drop any packet.

answered 26 Dec '13, 00:45

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

@Jasper thank you for the reply. Is there any way to check where the drop exists ?

(26 Dec '13, 01:09) Binu Babu

It may be possible to see something like this on the switch for the SPAN session (interface statistics), but I don't think it's possible for the others.

(26 Dec '13, 01:17) Jasper ♦♦

-B is set to high.

-B <buffer size=""> size of kernel buffer in MiB (def: 2MiB)

filesize:3024 seems very small to me.

What does top show when capturing?

(27 Dec '13, 08:23) Anders ♦

If the parameter for -B is set too high, the following will happen (dumpcap 1.10.x and 1.11.x).

dumpcap: Couldn't set the capture buffer size!
The capture buffer size of 10240MB seems to be too high for your machine, the default of 1MB will be used.

I see two 'problems'

  • A mismatch between the usage text of dumpcap -h (default 2MB) versus the error message (default 1MB)
  • dumpcap might have used another buffer size (1 or 2 MB) than the user expected, because he/she did not realize the error message (if there was one on his/her system)
(27 Dec '13, 08:28) Kurt Knochner ♦

@Kurt Knochner : Thank you for the information, i will try with amending the buffer settings.

(07 Jan '14, 00:07) Binu Babu