This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

packets missing using pcap_open_live and also in wireshark

0

I have to capture a data from FPGA Board which sends totally 15000 frames. Each frame consists of 514 bytes and each frame they are sending at a rate of 4usec. In my application I used pcap_open_live(devicename, 65536, 1, 1000, errbuf) and added filters to capture the data. I can able to receive around 12500 packets only in my application. And also I checked in wire shark there also I can able to receive 13000 packets. The above one I tried in windows. In linux I used tcpdump, there I can receive all the packets correctly. Kindly suggest me why im missing the packets(windows)?

asked 25 Sep '14, 00:22

paulraj85's gravatar image

paulraj85
11224
accept rate: 0%


One Answer:

0

My guess is you're capturing with a normal PC and a normal NIC. You're lucky to capture as much as you do with that kind of timings - 4 µsec sending rate is too fast in most cases, and you'd loose tons of packets if you'd go for larger frame sizes I guess.

If you need to capture all packets you'll probably have to get a specialized capture card to be able to avoid drops (e.g. Napatech, Fiberblaze) - but that's gonna be expensive, and they don't see to market their cards towards single users, only capture system builders. You could also take a look at TurboCAP by Riverbed.

answered 25 Sep '14, 00:27

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper, But in Linux I can able to capture all data using tcpdump with this speed any reason?

(25 Sep '14, 00:42) paulraj85

Possibly the Linux kernel and libpcap is more efficient than windows+ WinPcap. Or your linux Bix has ma better could and faster ram.

(25 Sep '14, 00:50) Anders ♦