On Dec 26, 2009, at 9:27 AM, Chris Morgan wrote:
> I have a case where it appears that packets are being missed or
> dropped. I wonder if this is due to too much processing being done in
> the pcap_dispatch() handler in my application in cases where there are
> bursts of packets like facebook chat messages or website visits.
>
> My question is how to detect this situation at runtime or via a test
> case. I thought of using pcap_stats() but I wasn't sure if
> pcap_stat.ps_drop was the number of packets that were dropped only due
> to buffer overruns due to the application callback not processing
> packets quick enough, or if this count referred to duplicate/error
> packets and/or packets dropped due to buffer overruns.
On what version of OS are you capturing the traffic (for a Linux distribution,
give the kernel version), and with what version of libpcap are you doing this?
ps_drop is *supposed* to reflect only packets dropped due to buffer overruns,
but
1) on some OSes, the capture mechanism doesn't make that information
available;
2) there were, I think, bugs in some versions of libpcap on some
platforms that caused ps_drop not to correctly reflect that.
I don't *think* any of those bugs caused it to count packets dropped due to
network errors, and libpcap and the capture mechanisms it uses don't drop
duplicate packets.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
