search

nmap / npcap

Nmap Project's Windows packet capture and transmission library
https://npcap.com
Other
2.91k stars 509 forks source link

Wireshark make our capture program less packet drop? #687

Open guoyaobit opened 11 months ago

guoyaobit commented 11 months ago

When we run wireshark on the background,our npcap capture program by libpcap-api have few packet drop problem. If we have multi libpcap-api capture program runing on same NIC on the same , it's also less packet drop too . So the result is weird and make us confusing. Could you please help us to explan it?

guyharris commented 11 months ago

I.e., if your program is the only program capturing on an interface, it drops more packets then if you are also running some other program (or even another instance of your program) that captures on the same interface?

guoyaobit commented 11 months ago

Yes. We are using python wrapper and npcap wpacp.dll on win10.

I.e., if your program is the only program capturing on an interface, it drops more packets then if you are also running some other program (or even another instance of your program) that captures on the same interface?

guyharris commented 11 months ago

That's... interesting.

By "packet drop" are you referring to the statistics you get from pcap_stats() (or whatever the Python wrapper call to it is), or to something else?

Does it happen if you just start Wireshark up with no capture file and no capture in progress (which starts capturing on all interfaces, with promiscuous mode off and with a small snapshot length, in order to draw the packet graphs on the main window), or do you have to start a capture on the same interface as the one on which your program is capturing?

guoyaobit commented 11 months ago
  1. I get the number of dropped packets not from pcap_stats(),it's just calculated from the number of send and the number of capture .I will try pcap_stats() in my program.
  2. Yes ,i have to start capture on the same interface using wireshark or other process.When i start Wireshark up and do nothing ,this did not occur.
  3. Will the multi-process will share the kernel buffer or user buffer?
guyharris commented 11 months ago
  • I get the number of dropped packets not from pcap_stats(),it's just calculated from the number of send and the number of capture .I will try pcap_stats() in my program.

The would be interesting, as pcap_stats() would report on packets that were handed to Npcap but that it couldn't save, but not packets dropped for other reasons, so it would give some information on what reasons here would be for the packets being dropped.

  • Yes ,i have to start capture on the same interface using wireshark or other process.When i start Wireshark up and do nothing ,this did not occur.

What happens if you run Wireshark and capture on a different interface?

  • Will the multi-process will share the kernel buffer or user buffer?

The only buffers I would expect two processes using Npcap to capture on the same interface would be the packet buffers in the driver for the interface, but each packet would appear only once in that buffer, no matter how many packets were capturing on that interface; there would be separate Npcap driver buffers in the kernel for each process, and there would be separate user-space buffers for each process.