[Winpcap-users] capture differences between Linux system and Windows with winpcap

[Newlon, Phil]

I posted this question on wireshark site but the more I think about it (since results are the same with wireshark and windump) the more I think it is winpcap related.


Wireshark 1.10.2 (64 bit) on Windows 7, Wireshark 1.10 on Ubuntu 13.04 (compiled from source), WinPcap 4.1.3

I have been troubleshooting a network that contains several Windows Embedded Std 7 POS systems and a back office PC that runs Win 7 Pro. When I first looked at the network I was amazed at the volume of errors (dup ack, retrans, tcp out of order). My initial look was with the back office PC on a hub with a laptop running Win 7 Pro and wireshark. Wondering if I had an interface issue, I put a netoptics tap on the back office PC connection. My windows laptop only has one wired ethernet interface so I put a Ubuntu Linux box with two wired interfaces and when I captured with it the errors magically 'disappeared'. I then bought a USB -> wired ethernet dongle for my laptop and ran wireshark on both interfaces (still on the tap) and the errors show again. I have never seen this situation before and don't know where to turn next - I can't trust any captures done on my Windows 7 laptop now and can't take my Linux desktop PC with me on the road!

Why would Wireshark on windows be showing that the network has errors (thousands of them per minute) but on Linux it is clean?

If I run a tcpdump (or dumpcap) capture on the Linux box then copy the file to the Windows machine, it does not have the errors showing.

Maybe pertinent as well.... I used an Ubuntu Live CD in the laptop that normally runs Windows and captured via tcpdump (using built in interface and USB->ethernet dongle) and came up with a clean capture that way as well. I then used windump and captured two separate files (one from each interface) and merged them. That was even worse.

This is definitely a difference between windows and linux and how they capture but I can't fathom how there can be such a difference.

Any insight would be muchly appreciated!
Notice: This e-mail message and its attachments are the property of The Wendy's Company or one of its subsidiaries and may contain confidential or legally privileged information intended solely for the use of the addressee(s). If you are not an intended recipient, then any use, copying or distribution of this message or its attachments is strictly prohibited. If you received this message in error, please notify the sender and delete this message entirely from your system.