Re: [tcpdump-workers] How tcpdump determines the "dropped by kernel"?

Mon, 25 Nov 2013 11:03:17 -0800 

Hey Guy,

Thanks for the detailed response.
I am running Linux on couple systems: Gentoo, Ubuntu 10.04+newers, CentOS.

On the ubuntu that I am using now:
tcpdump version 4.4.0
libpcap version 1.4.0

On the CentOS it's the exact same version output:
tcpdump version 4.4.0
libpcap version 1.4.0
For one system I have about 15MB/s and on the others it's much higher and maybe in the Hundreds of MB/s depends on the load and the system size. 
It can be 8 cores 32GB ram which is in one case.
So In a case there is not much ram limitation for the machine I would thing that an option to use more ram for these buffers can be an option. 

Thanks,
Eliezer


On 25/11/13 20:07, Guy Harris wrote:


On Nov 24, 2013, at 5:04 PM, Eliezer Croitoru <elie...@ngtech.co.il> wrote:


Since I would not like to research tcpdump code I would like to get some help 
about it from others.

So my kernel would declare on packets that was dropped but still the connection 
was OK and was not disrupted in any way I can think about.

What exactly this "drop by kernel" means?
Is it dropped by kernel and was not handled by any application? or it means 
that the buffers of tcpdump got filled and there-for was dropped by tcpdump?


It means that:

        tcpdump uses libpcap to do packet capture;

        libpcap uses some mechanism or driver in the OS kernel to do packet 
capture;

        that mechanism has, for each capture in progress on each network 
interface, buffers into which copies of packets are placed;

        if *those* buffers fill up, because tcpdump (or whatever application is 
capturing) isn't processing the packets fast enough, any packets that arrive 
while the buffers are full are not copied to a buffer for capturing on that 
interface.

That doesn't mean that the packets aren't delivered to the OS networking stack 
(or to other captures being done on the same device).


In any case I would like to do a very big dump into a storage system on a very 
loaded system and which I would like to not drop any packet by either the 
kernel or any other level if possible.
In a case there are tuning to the system in couple layers I would like to at 
least minimize the drops from lots of packets into a small amount of packets.


What OS are you capturing on, and what version of libpcap is tcpdump using (run 
"tcpdump -h" to get the libpcap version)?



_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Reply via email to