questions on -B, performance, mbufs, and libpcap buffers

[Jon Schipp <jonschipp () gmail com>]

Hey guys,

I have a few questions, hopefully someone can set me straight.
Info: *I'm on FreeBSD 8.2* *out of a couple million packets, in a few hours
time, I drop around 4000*
First off are all packets stored in mbufs?
And if so, is it possible to increase the amount of mbuf clusters to improve
tcpdump performance?
I looked up how to do it, but wasn't sure if all packets were stored in
mbufs, I know that socket connections (socket()) are.
When capturing network traffic during peak hours, netstat -m didn't show
that I was running out of mbufs, had a few hundred available.
Again, questioning myself, I wasn't sure if packets for tcpdump were stored
in mbufs, I would expect them to run out if the kernel was dropping them.
Though, I'm assuming that all packets are stored in mbufs and that bpf just
gets a copy of what's in the mbufs. Correct me if I'm wrong.


I'm trying to go through Steven's TCP/IP Vol 2, it's kicking my butt though
(not a programmer *maybe someday*). I'm hoping someone can clear some of
this up for me.

Second, does -B set an application buffer independent of the libpcap buffer?
What's the default size?
Can capture improvements be made by increasing this value? *I'm dropping
packets at the kernel, according to tcpdump*
Is the argument for -B in Kilobits? ( if this isn't associated with the
kernel/libpcap drops, increasing it wouldn't help, i don't think anyway,
still curious though)

I see that the libpcap buffer can be increased with sysctl since libpcap
initializes its buffer amount with bpf sizes:
<majordomo () lists tcpdump 
org?subject=subscribe%20to%20tcpdump-workers&body=subscribe%20tcpdump-workers>net.bpf.maxbufsize:

net.bpf.bufsize:

I plan on doing tests with these soon. I'm trying to collect as much
information as possible first.

Third, when tcpdump reports how many packets are dropped by the kernel is
this the same value as the packets dropped by libpcap?
In otherwords, does libpcap ask the kernel for the kernel drop amount and
report it as "packets dropped by kernel". Or will they have different
values?
The reason I ask is that the program ntop has a field that shows "dropped by
(libpcap)" but not a "dropped by kernel"
If they're different, is there a way to find out the root cause: kernel or
libpcap

Thanks!!!
-- 
- Jon
-- 
------------------------------------------------------------------

VMB: 812-682-0231

Dubois County Linux User Group - http://www.dclinux.org
Southern Indiana Computer Klub - http://sickbits.networklabs.org
Bloomington FOOLS - http://www.bloomingtonfools.org/
BloomingLabs -  http://www.bloominglabs.org
ISSA-Kentuckiana  -  http://issa-kentuckiana.org

GPG Key ID: 810903CB
Key fingerprint = 0069 ED69 EABB DF84 5983  AD3C 6C20 BEFD 8109 03CB
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.