Re: How to tell if application is handling packets too slowly, causing them to be missed?

[Guy Harris <guy () alum mit edu>]

On Dec 26, 2009, at 9:27 AM, Chris Morgan wrote:

> I have a case where it appears that packets are being missed or
> dropped. I wonder if this is due to too much processing being done in
> the pcap_dispatch() handler in my application in cases where there are
> bursts of packets like facebook chat messages or website visits.
>
> My question is how to detect this situation at runtime or via a test
> case. I thought of using pcap_stats() but I wasn't sure if
> pcap_stat.ps_drop was the number of packets that were dropped only due
> to buffer overruns due to the application callback not processing
> packets quick enough, or if this count referred to duplicate/error
> packets and/or packets dropped due to buffer overruns.

On what version of OS are you capturing the traffic (for a Linux distribution, give the kernel version), and with what 
version of libpcap are you doing this?  ps_drop is *supposed* to reflect only packets dropped due to buffer overruns, 
but

        1) on some OSes, the capture mechanism doesn't make that information available;

        2) there were, I think, bugs in some versions of libpcap on some platforms that caused ps_drop not to correctly 
reflect that.

I don't *think* any of those bugs caused it to count packets dropped due to network errors, and libpcap and the capture 
mechanisms it uses don't drop duplicate packets.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.