tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "not vlan" filter expression brokencatastrophically!

From: Rick Jones <rick.jones2 () hp com>
Date: Mon, 04 Feb 2013 10:46:41 -0800
On 02/04/2013 01:29 AM, David Laight wrote:

I agree. Honestly I think a perfectly reasonable stance to take is
requesting that the filters get packets *as seen on the wire/nic*. I
think that's the mental model everyone uses, and any deviation from
that model is prone to bugs in the kernel, libpcap, and for the enduser.


TX and RX segmentation offload also confuse matters here.
I think Linux can give libpcap large TCP fragments even when the
hardware isn't doing segmentation offload.
This also breaks the mental model.
That would be "GRO" - Generic Receive Offload. NIC-based "LRO" (Large Receive Offload) would as well. Might also include GSO - Generic Segmentation Offload rather than TSO.
TX Checksum Offload (CKO) also breaks the mental model in that it tricks tcpdump into reporting false invalid checksum warnings.
I don't think that Linux is particularly alone in the matter of stateless offloads taking what someone running tcpdump sees farther from the stated philosophy. Other stacks may or may not have GSO and GRO (I think Solaris has something like GSO called Multi-Data Transmit) but do have CKO, and TSO.
I do not know what to suggest about the matter with vlans and those headers being/not being stripped automagically, but I suspect that the likelihood of getting Linux (or another stack) to toast the stateless offloads in the name of packet capture purity is epsilon.
It may be unpleasant, but if the goal is to see traffic as seen on the wire/NIC, packet capture in a general-purpose end system isn't going to achieve it any longer. Nor has it really for many years. There are too many demands on performance to make the stateless offloads go away. Particularly since individual cores have ceased getting faster particularly.
Seeing just what traffic looks like "on the wire" will require interposing a "dedicated" capture device of some sort. Perhaps implemented in a general-purpose system with all the stateless stuff disabled, and the affiliated performance issues. But on the end-system involved in the conversations? Nope. The stateless offloads and their effect on what one sees via packet capture are here to stay. 

rick jones
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Previous By Date Next
Previous By Thread Next

Current thread: