Yes and yes. And no and no. It all depends... As I say in the faq entries, packets get dropped a lot of places. And libpcap under Linux isn't very honest about it's reporting.
Stuff reported at the driver level would be in the ifconfig counts, that's probably (but not always) before libpcap sees them. How each particular driver is coded and what it's reporting is, well, up to the driver writer. Some NICs have counters that the driver can interrogate, others don't. etc. Overruns are usually a network card problem on the local LAN segment - it's sending garbage that 'happens' to be more than the garbage counter at the 'start' of the packet. Sort of like looking at the progression of digits from a PRNG and thinking you see a phone number in there 972555121212 - hey, that's directory assistance, but there's an extra 12 in it... But it could be other things, it's dependent upon the NIC and driver as to what count(s) they are actually putting in that bucket. Then you have the kernel and finally libpcap. Now, for whatever libpcap sees, when you look at the textinfo.html stuff, there should be a trail of where ntop thinks the packets get dropped. As you seeing non-zero #s there? Or is it just in the dropped by libpcap count? Luca made a change late in the 3.0 development cycle to essentially poll the libpcap counter and store the count off in ntop's myGlobals structure so we're less dependent upon libpcap. How much better that really is, is still up for grabs. As to too low end, I think yes. There was a back traffic message where I did some envelope calculations about memory bandwidth - with PC100, I seem to recall finding it was pretty easy to swamp. Might search @ Gmane for PC100 PC133. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chris > Beck > Sent: Thursday, April 08, 2004 2:06 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] dropped packets > > > I read through faq.html about dropped packets, so I understand (somewhat) > about where and why they are dropped. I'm noticing that on the WebUI page, > under Summary -> Traffic, it's showing anywhere between 40% to 70% of the > packets dropped by libpcap. In the output of ifconfig for my monitoring > interface, I'm not seeing dropped packets - I'm seeing overruns. So I'm > assuming this is where it's happening. Are libpcap dropped packets a > hardware/driver issue, or does that mean that it's actively filtering them > out? > > Out of curiosity, in everyone's experience, what caliber of machine do I > need to keep up with two T1s worth of traffic (3Mbps)? Right now, it's a > PIII 550MHz with 256MB of PC100 with an Intel 100Mbps NIC. Does this sound > too low-end? > > Chris Beck, CCNA > Network Administrator > Technology Services, City of Fontana > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
