On Nov 24, 2013, at 5:04 PM, Eliezer Croitoru <elie...@ngtech.co.il> wrote:
> Since I would not like to research tcpdump code I would like to get some help
> about it from others.
>
> So my kernel would declare on packets that was dropped but still the
> connection was OK and was not disrupted in any way I can think about.
>
> What exactly this "drop by kernel" means?
> Is it dropped by kernel and was not handled by any application? or it means
> that the buffers of tcpdump got filled and there-for was dropped by tcpdump?
It means that:
tcpdump uses libpcap to do packet capture;
libpcap uses some mechanism or driver in the OS kernel to do packet
capture;
that mechanism has, for each capture in progress on each network
interface, buffers into which copies of packets are placed;
if *those* buffers fill up, because tcpdump (or whatever application is
capturing) isn't processing the packets fast enough, any packets that arrive
while the buffers are full are not copied to a buffer for capturing on that
interface.
That doesn't mean that the packets aren't delivered to the OS networking stack
(or to other captures being done on the same device).
> In any case I would like to do a very big dump into a storage system on a
> very loaded system and which I would like to not drop any packet by either
> the kernel or any other level if possible.
> In a case there are tuning to the system in couple layers I would like to at
> least minimize the drops from lots of packets into a small amount of packets.
What OS are you capturing on, and what version of libpcap is tcpdump using (run
"tcpdump -h" to get the libpcap version)?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
