tcpdump mailing list archives

Re: How tcpdump determines the "dropped by kernel"?

From: Eliezer Croitoru <eliezer () ngtech co il>
Date: Mon, 25 Nov 2013 21:01:27 +0200

Hey Guy,

Thanks for the detailed response.
I am running Linux on couple systems: Gentoo, Ubuntu 10.04+newers, CentOS.

On the ubuntu that I am using now:
tcpdump version 4.4.0
libpcap version 1.4.0

On the CentOS it's the exact same version output:
tcpdump version 4.4.0
libpcap version 1.4.0

For one system I have about 15MB/s and on the others it's much higherand maybe in the Hundreds of MB/s depends on the load and the system size.

It can be 8 cores 32GB ram which is in one case.

So In a case there is not much ram limitation for the machine I wouldthing that an option to use more ram for these buffers can be an option.


Thanks,
Eliezer


On 25/11/13 20:07, Guy Harris wrote:


On Nov 24, 2013, at 5:04 PM, Eliezer Croitoru <eliezer () ngtech co il> wrote:

Since I would not like to research tcpdump code I would like to get some help about it from others.

So my kernel would declare on packets that was dropped but still the connection was OK and was not disrupted in any way 
I can think about.

What exactly this "drop by kernel" means?
Is it dropped by kernel and was not handled by any application? or it means that the buffers of tcpdump got filled and 
there-for was dropped by tcpdump?


It means that:

        tcpdump uses libpcap to do packet capture;

        libpcap uses some mechanism or driver in the OS kernel to do packet capture;

        that mechanism has, for each capture in progress on each network interface, buffers into which copies of 
packets are placed;

        if *those* buffers fill up, because tcpdump (or whatever application is capturing) isn't processing the packets 
fast enough, any packets that arrive while the buffers are full are not copied to a buffer for capturing on that interface.

That doesn't mean that the packets aren't delivered to the OS networking stack (or to other captures being done on the 
same device).

In any case I would like to do a very big dump into a storage system on a very loaded system and which I would like to 
not drop any packet by either the kernel or any other level if possible.
In a case there are tuning to the system in couple layers I would like to at least minimize the drops from lots of 
packets into a small amount of packets.


What OS are you capturing on, and what version of libpcap is tcpdump using (run "tcpdump -h" to get the libpcap 
version)?


_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 24)
- Re: How tcpdump determines the "dropped by kernel"? Anders Broman (Nov 25)
  - Message not available
    - Re: How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 25)
- Re: How tcpdump determines the "dropped by kernel"? Guy Harris (Nov 25)
  - Re: How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 25)
    - Re: How tcpdump determines the "dropped by kernel"? Guy Harris (Nov 25)
    - Re: How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 25)