tcpdump mailing list archives
Re: dealing with collisions, dropped packets
From: Guy Harris <guy () alum mit edu>
Date: Mon, 01 Nov 2004 12:20:26 -0800
Matt Van Mater wrote:
Recently I've been investigating why tcpdump on my IDS shows quite a few packets as being dropped.
Probably because it's receiving so many packets that it can't keep up. Drops, as reported by tcpdump, are drops due to the buffer in the packet capture mechanism overflowing due to tcpdump not being able to read packets fast enough.
I think this is because my traffic to the IDS is fed through a hub where I know there are many collisions (there may be too many packets per second for the little soho 10/100 hub to handle). I'm not sure how tcpdump handles collisions,
It doesn't. It wouldn't even know about them unless the packet capture mechanism libpcap uses supplies that in a form libpcap can use in "pcap_stats()" (which I'm not sure is the case on any OS), and, even then, it doesn't report the "ps_ifdrop" statistic.
If you want to know how many collisions an interface sees, you'd probably have to use some other program that gets a collision count from the network adapter. I also don't know whether it'd report collisions other than those from packets being sent on the adapter.
Is there a way to get more fine grained statistics on why packets are dropped,
That depends on the OS - there might be a command, or GUI tool, to get those statistics from the driver.
and would collisions coming in off a hub be shown as dropped?
They wouldn't be reported as dropped by tcpdump. Tcpdump would report only drops due to the buffer in the packet capture mechanism overflowing due to tcpdump not being able to read packets fast enough.
As for other programs to report packet statistics, I don't know. A "collision coming in off a hub" is presumably a packet being transmitted by another machine on the network that gets stomped on by some third machine transmitting; I don't know whether an adapter would recognize and report that as a collision other than some other type of packet error, and don't know how they'd be reported.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- dealing with collisions, dropped packets Matt Van Mater (Nov 01)
- Re: dealing with collisions, dropped packets Guy Harris (Nov 01)
- Re: dealing with collisions, dropped packets Aaron Turner (Nov 01)
- Re: dealing with collisions, dropped packets Michael Richardson (Nov 01)
- Re: dealing with collisions, dropped packets sthaug (Nov 01)
- Re: dealing with collisions, dropped packets Michael Richardson (Nov 01)
- <Possible follow-ups>
- Re: dealing with collisions, dropped packets Matt Van Mater (Nov 03)
- Re: dealing with collisions, dropped packets sthaug (Nov 03)
- Re: dealing with collisions, dropped packets Guy Harris (Nov 04)
- Re: dealing with collisions, dropped packets sthaug (Nov 03)