On 9/10/07, John R Pierce <pierce at hogranch.com> wrote: > wireshark can process and display packet capture files from tcpdump -w > > capture a few megabytes of packets on the appropriate interface of the > firewall, then transfer them to a workstation with Wireshark for analysis. OK, I've got some output from "tcpdump -w any" but I don't know precisely what I'm looking for. (I'd be happy to take this off-list.) I notice that just over 1/3 of the packets are TCP out-of-order segments and about 4% are duplicate ACKs. We also dumped eth0 and eth1 separately. Statistics on the "any" output show 26Mb/s, but eth0 and eth1 independently are only 10Mb/s each. By the way, those interrupts/sec numbers in my earlier message were off; I chose a bad moment to look at it, when the peak had subsided. At peak it's more like 2500-3000 interrupts/sec, sometimes as high as 3500.