Hi Alexey,
On Sat, Aug 05, 2000 at 08:44:07PM +0400, [EMAIL PROTECTED] wrote:
> > handle huge pipes like ATM. There were already some complaints that=20
> > tcpdump does not show every packet (probably because the receive queue
> > is overrun) going over a link.=20
>
> Use getsockopt(PACKET_STATISTICS) to get drop statistics. See the patch.
Yep. I know that. Another to do for my implementation...
> Mapped packet socket shows places where packets were lost exactly,
> by the way. Seems, I did not use this even in the patch, because
> I stopped to update it after tcpdump.org fork.
Hmm, that could be handy.
> > I want tcpdump to use the turbo packet feature and if the filter does
> > not truncate the packet the full data is copied into user space
>
> No! You pass snap size length to recvmsg(). If you want to know original
> packet length, you pass MSG_TRUNC flag to recvmsg(), then return value
> will be real packet length. Again, see the patch.
ACK. I was talking about mmaped socket.
> For mmaped socket snap length is set separately. BTW it is not
> universal solution, it is good only for small snap sizes.
Ugh, sorry, I missed that option. BTW: Is there an updated packet(7)
manpage? If not I would volunteer to write one I have to understand
that stuff anyway.
> > It currently has to work with kernel 2.0.x as well
>
> Mama mia. Old good LBNL tcpdump is enough to satisfy people using 2.0.
> You lose your time, nothing more.
Another mistake I made, granted. But now the code is there and I do not
want to throw it away as long as it works.
> > Point taken. But those inconveniences can be fixed in small steps instead
> > of having a huge patch which does everything at once.
>
> I use tcpdump for... I do not remember. When you do small steps
> for 5 years, you arrive to huge patch. 8)
Exactly my point.
> > I wonder if the default snaplen you are using (144) is right for all
> > interfaces.
>
> It is enough to debug almost everything, which I had to deal with.
>
>
> > Isn't there an interface with a longer header than ethernet?
>
> Of course, they are. Only with SOCK_DGRAM all the interfaces
> are ethernet yet. 8)
:)
> > everything on a fast device can still use "-s".
>
> Rather to reduce binary dump size. 8)
Hmm, we need another option to tcpdump to tell it "capture all header data
from each packet". I think that would be a nice addition but it would
require to extend all dissectors...
Friendly
Torsten
--
Torsten Landschoff Bluehorn@IRC <[EMAIL PROTECTED]>
Debian Developer and Quality Assurance Committee Member
PGP signature
