tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: libpcap delivering the same packet more than once under high load?

From: Alexander Dupuy <alex.dupuy () mac com>
Date: Tue, 14 Sep 2010 08:48:13 -0400
Jim Lloyd writes:

These duplicate packets cannot be unique packets that were retransmitted
between the two machines on the layer 1 GigE link, because if there was a
significant increase in retransmission duplicates on the link, they would
have competed for the fixed 1Gbps channel capacity. But the data is
consistent with libpcap delivering the same packets more than once.
How are you capturing these packets (i.e. where is your libpcap application running, and what is it monitoring)?
If you are using a switch mirror or SPAN port to capture the traffic, there are many configurations that will capture packets multiple times, e.g. both on receive from one port and transmit on another. If your traffic is crossing multiple (V)LANs which are being monitored, you can also see packets that are not exact duplicates (different MAC addresses, IP TTL/hop count & checksum) but which are effectively duplicates at the TCP layer.
If your libpcap application is running on the sender or receiver, and monitoring the host's interface that is used for the test traffic, you won't have this problem (although depending on your hardware you may see transmitted traffic that is not what actually goes out on the wire - e.g. TCP segmentation offload will split/fragment packets but libpcap will not see that).
Unless you are using an optical tap or port replicator or something like that to perform the traffic capture, it is generally the case that what you see is not 100% identical to what is actually going across the wire.
Some other non-libpcap-related reasons why what you see is not exactly what was on the wire are in the kernel - on some multiprocessor systems (Linux at least, perhaps this is also true for *BSD) you may get packets in a different order than the one in which they were actually received (you can even see this in the libpcap packet receive timestamps).
All of these are not the fault of libpcap - although it is possible to add functionality to libpcap (or your application) to eliminate duplicate packets and/or reorder packets based on receive timestamps - we have done the former in our applications. 

@alex

--
mailto:alex.dupuy () mac com

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: