tcpdump mailing list archives
Re: tcpdump drop info?
From: Guy Harris <guy () alum mit edu>
Date: Wed, 9 Apr 2003 15:54:58 -0700
On Wed, Apr 09, 2003 at 02:35:57PM -0700, Joe Elliott wrote:
I am interested in knowing how the accounting of packets is done and what this message means. Is the 280 unaccounted packets below just overrun as the socket is closed?
There's no socket involved, it's a BPF device, but, yes, that's what it is. On systems with BPF, such as the BSDs, the libpcap statistics come from a BIOCGSTATS ioctl done on the BPF device being used for capturing. The count of packets received is incremented every time a network device driver calls one of the BPF tap routines to supply a packet to BPF; that happens before the packet is actually read, so, even if the program using libpcap quits reading packets after the millionth packet, more packets might arrive in between the point at which it reads the millionth packet and the point at which it fetches the statistics from the BPF device. Note, BTW, that it counts packets *before* running the filter on them, so if you did a capture with a filter, the "packets received by filter" count would count packets that *don't* pass the filter as well as packets that *do* pass the filter. On other OSes, the count may be done in different places, and the results may differ.
Are they lost in the preamble at startup?
No, they're lost at the end.
ie I asked for a million packets, dropped non, but the filter passed 280 more. Where did they go?
Into the BPF device's buffer, and then, when the BPF device is closed, into the bit bucket when the buffer is closed. Arguably, tcpdump should keep its *own* count of packets that it actually processed, and report *that* count first. - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Using TCPDUMP from Java Jordan Rivington (Apr 04)
- tcpdump drop info? Joe Elliott (Apr 09)
- Re: tcpdump drop info? Guy Harris (Apr 09)
- tcpdump drop info? Joe Elliott (Apr 09)