By default tshark disables dns lookup, tcpdump does not. At the end of your capture it will tell you if the "kernel dropped packet" and how many. It is possible that tshark can not keep up with the data and so it is dropping some metrics. If you are really missing acks then it is time to start looking upstream from your host for where they are disappearing. In those cases it does not have that information. Like the warning message says, it is common for a capture to start in the middle of a tcp session. We also ran the pcap file though a nice command that creates a command line column of dataĬommand tshark -i 1 -w file.pcap -c 500000īasically just saw a few things in the _segment column but not many.\Īnyone enlighten what might be going on? tshark not able to keep up with writing data, some other issue? False positive? I'm seeing various things that I'm not sure or do not completely understand yet.ħ79 Warnings for TCP: ACKed segment that wasn't captured (common at capture start)Ĥ46 TCP: Previous segment not captured (common at capture start)Ĥ0292 0.000 xxx xxx TCP 90 11210 > 37586 Seq=3812 Ack=28611 Win=768 Len=24 TSval=199317872 TSecr=4506547 We are doing some load testing on our servers and I'm using tshark to capture some data to a pcap file then using the wireshark GUI to see what errors or warnings are showing up by going to Analyze -> expert Info with my pcap loaded in.
0 kommentar(er)
