Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Recording slow scans

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 07 Oct 1998 15:43:52 -0400
Vern Paxson wrote:

Just a tweak, to avoid a misimpression:


Lots of folks use tcpdump. Depending on the platform you're
running it on, take its results with a grain or 2 of salt.
We've observed on busy networks that tcpdump reports zero
packets lost - but network analyzers and NFRs see more traffic
than tcpdump did. Hmmmm.... :)  Just an FYI. Solaris was
particularly not so hot in this regard.


This isn't tcpdump at fault here, but instead the local packet filter.
tcpdump just uses whatever libpcap provides it.  I didn't want folks
to get the impression that there's something flaky about tcpdump in
general.


Thanks, Vern, I was unclear.

He's right and I encourage anyone who's interested in sucking
packets to read the references he posted.

The reason I mentioned the tcpdump thing specifically is because
in the past we've had folks say "I'm using tcpdump and it's not
losing ANY packets on this saturated FDDI network. I'm seeing
12,000 packets/second!" and then we notice that we're seeing
17,000 packets/second on the same network...  And neither of
us is losing any. :) Hmmm....  :)

I also wasn't trying to imply that NFR performance is superior
to tcpdump. As Vern says, it's a kernel thing. The version of
bpf we use is not anywhere near factory stock anymore. :) It
seems that, for now, bpf is the best game in town, followed
by dlpi, then the linux bpf emulation(which is yuck-o), and then
various windows NT shims.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
Previous By Date Next
Previous By Thread Next

Current thread: