0

I use Npcap's NULL/loopback capture with Wireshark v2.4.2 and I get complete nonsense stats because for some reason loopback "captures" way too much "on the wire":

enter image description here

As you can see, actual sent packet was 1476 bytes, but Wireshark "captured" 2948 bytes on the wire. This totally messes up with all kinds of statistics and IO graphs do not make any sense. Is this a bug (in Wireshark or Npcap loopback capturer?) How can I make Wireshark ignore that bytes on wire metric and use bytes captured instead for all kinds of stuff (like io graphs, or to show it in "Length" column)

Matt Davis
  • 45,297
  • 16
  • 93
  • 124
Pavel P
  • 15,789
  • 11
  • 79
  • 128

2 Answers2

2

If "bytes captured" is less than "bytes on the wire", it's typically because a snaplen was set when capturing.

Check your capture options (Wireshark: Capture -> Options) and if a snaplen was set, you should either set it to the default value (typically 262144) or some other large value whereby you can ensure that all bytes will be captured.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • In my case for "Npcap Loopback Adapter" has default value set for snaplen, just like every other adapter. I have an opposite problem: length is some bogus large value listed in wireshark output, and I want it to show something that does make sense. As you can see from the screenshot packets are 3KB in size, while they are actually ~1.5KB. The only difference: this adapter uses "BSD loopback" link layer header instead of ethernet like all others. I guess, BSD loopback structure carries some extra data that makes it this big compared to actual `bytes captured` – Pavel P Dec 30 '17 at 18:19
  • What's the MTU for the BSD loopback interface? Typically, loopback interfaces have a much higher MTU than the usual 1500 byte MTU you'll find on Ethernet interfaces. – Christopher Maynard Dec 30 '17 at 18:51
  • I don't know the MTU for a bsd loopback, but actual UDP packet size is around 1.5K, while entire captured bytes on wire is around 3K – Pavel P Dec 31 '17 at 02:57
  • What happens if you change the **default** snaplen for this interface to a value at or above 3kB? Can you try setting the snaplen to 65535 bytes and then retest to see how many bytes are captured? – Christopher Maynard Dec 31 '17 at 03:05
1

This may be due to an Npcap bug; see Npcap issue #1524.

user9065877
  • 193
  • 1
  • 1
  • 2