Re: How tcpdump determines the "dropped by kernel"?

[Eliezer Croitoru <eliezer () ngtech co il>]

Ho ok.

On 25/11/13 21:28, Guy Harris wrote:
> On Nov 25, 2013, at 11:01 AM, Eliezer Croitoru<eliezer () ngtech co il>  wrote:
>
> > >I am running Linux on couple systems: Gentoo, Ubuntu 10.04+newers, CentOS.
> What kernel version?
I have one 2.6.32-X in the CentOS.
Ubuntu has 3.2+ kernels(3.2,3.4,3.7..)
Gentoo is another story but it's similar.

> > >On the ubuntu that I am using now:
> > >tcpdump version 4.4.0
> > >libpcap version 1.4.0
> > >
> > >On the CentOS it's the exact same version output:
> If you're running on a system with a 3.2 or later kernel, then, if you use libpcap built from the current Git trunk, it can 
> use version 3 of the memory-mapped capture mechanism (TPACKET_V3), which makes more efficient use of the capture mechanism's 
> buffers than do earlier versions of that mechanism (TPACKET_V1 and TPACKET_V2), resulting in fewer packet drops.
I hope ubuntu have support for these but it seems like 2MB on linux can 
be increased easily to more then 50MB on this machine since I do have 
lots of ram free (6GB) is more then is needed for the task from my way 
of thinking.

I will try to test it later.

Thanks again,
Eliezer

> > >So In a case there is not much ram limitation for the machine I would thing that an option to use more ram for these 
> > buffers can be an option.
> Yes - that's what the -B flag to tcpdump lets you do.  (The default is 2MB on Linux.)

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers