Wireshark mailing list archives
Re: what I witnessed during live capture isn't what is shown by the capture files
From: Bill Meier <wmeier () newsguy com>
Date: Thu, 03 Mar 2011 09:15:03 -0500
On 3/3/2011 1:33 AM, Larry Dieterich wrote:
Hi This is my first post to this list, and I'm also new to Wireshark. I am using Wireshark version 1.4.2 on Darwin 10.6.0 Mac OS 10.6.6. Libpcap version 1.1.1 with libz 1.2.5
> ...
I was also running a ring buffer capture of the stream to write the capture to sequentially numbered 20MB files on the local drive. Suddenly, the content of the displayed packets changed radically. No more color tags on the packets, lots of packets reported as mal-formed. Very little TCP traffic. Lots of protocols labeled differently from what I had been seeing. Labels including; Ethernet II, LLC, FC and hundreds with the protocol 0x####, where #### varies, but I recorded an example - 2c03, so one of the packets reported its protocol as 0x2c03 Hundreds of others with similar notation, but different values for ####. Dozens of different sources and destinations, all apparently MAC addresses, none of the IP addresses as I had been seeing in the source and destination columns. All of a sudden the anomalous packets cleared and wireshark began reporting the normal traffic I had been seeing. Then, it did it again, as described above. Hundreds of nonsense packets, malformed packets rampant. I assumed that I had detected a hardware malfunction on the network, or an EMF problem or something highly unusual. (Note that this is what I am looking for, as I mentioned I have a real problem I'm trying to solve here involving seemingly random database crashes.) Here is the mystery; when I look at the captured files, none of the anomalous noise and mess which I witnessed and noted during the live capture is recorded in the captured files! The packets look normal. I actually made notes about some of the packets and I recorded them by packet number and description, and file name, while the reported strange behavior was occurring. But when I look at those capture files, those same packets look totally different from what I saw and what I noted during the live stream.
FWIW: I very recently had the same thing happen to me (using, I think, a Wireshark built from SVN).
In my case the capture was just a simple capture (no filters, no ring bufffers, etc) done on a Linux VM from the ;
At the time I was focusing on something else so I didn't pay much attention. I'll see if i can duplicate the problem.
Please do file a bug giving the details of the capture setup and so on (even if you've not duplicated the problem).
Thanks ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- what I witnessed during live capture isn't what is shown by the capture files Larry Dieterich (Mar 02)
- Re: what I witnessed during live capture isn't what is shown by the capture files Jaap Keuter (Mar 02)
- Re: what I witnessed during live capture isn't what is shown by the capture files Bill Meier (Mar 03)