Firewall Wizards mailing list archives
Re: Recording slow scans
From: Vern Paxson <vern () ee lbl gov>
Date: Wed, 07 Oct 1998 11:18:57 PDT
Just a tweak, to avoid a misimpression:
Lots of folks use tcpdump. Depending on the platform you're running it on, take its results with a grain or 2 of salt. We've observed on busy networks that tcpdump reports zero packets lost - but network analyzers and NFRs see more traffic than tcpdump did. Hmmmm.... :) Just an FYI. Solaris was particularly not so hot in this regard.
This isn't tcpdump at fault here, but instead the local packet filter.
tcpdump just uses whatever libpcap provides it. I didn't want folks
to get the impression that there's something flaky about tcpdump in
general.
For those interested, there's a chapter in my thesis that details
a variety of packet filter horror stories:
ftp://ftp.ee.lbl.gov/papers/vp-thesis/filter.ps.gz
ftp://ftp.ee.lbl.gov/papers/vp-thesis/filter.pdf
- Vern
Current thread:
- Re: Recording slow scans, (continued)
- Re: Recording slow scans Darren Reed (Oct 14)
- Cisco's L2F Andy Burns (Oct 14)
- Re: Cisco's L2F Jesús Cea Avión (Oct 16)
- Re: Recording slow scans Bennett Todd (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Chuck Benson (Oct 14)
- Re: ifconfig down (was Re: Recording slow scans Doug Hughes (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Henry Hertz Hobbit (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Radovan Semancik (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 07)
- Re: Recording slow scans Darren Reed (Oct 14)
- Re: Recording slow scans Stephen P. Berry (Oct 23)
- Re: Recording slow scans Darren Reed (Oct 23)
- Re: Recording slow scans Darren Reed (Oct 16)
- Re: Recording slow scans Eric Budke (Oct 16)
- Re: Recording slow scans Matt Curtin (Oct 16)