tcpdump mailing list archives
Re: dropping of packets
From: Guy Harris <gharris () sonic net>
Date: Fri, 30 May 2003 03:22:35 -0700
I have seen that tcpdump will at the end of a trace give the number of packets that have been dropped by the kernel, but this does not seem to have any relation to packets being discarded because of their malicious nature.
You are correct - it doesn't have any relation to that. It's the number of packets dropped *by the mechanism tcpdump is using to capture packets*. I.e., it's the number of packets that would have been delivered *to tcpdump* by that mechanism, but that were dropped because, for example, tcpdump wasn't running fast enough to capture them.
I am running Red Hat, and I would like to know which process in the OS that takes care of discarding. If TCPdump is interacting with the protocol stack via the application layer, should it not be the case that TCPdump should not be able to sniff malicious datagrams as they should have been discarded by the network layer already?
No, because tcpdump doesn't interact with the protocol stack in that fashion. The exact way it does so depends on the OS you're using, but, for example, on Linux, it interacts with the protocol stack by using PF_PACKET sockets (see the PACKET(7) man page); the path from the network interface driver to a PF_PACKET socket is different from the path from the network interface driver to network-layer code such as the IPv4 or IPv6 code, and even if the network-layer code discards malicious datagrams, it's only discarding the copy sent to it - the copy sent to PF_PACKET sockets won't be discarded. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- dropping of packets Celia Clark (May 29)
- <Possible follow-ups>
- Re: dropping of packets Guy Harris (May 30)