Re: dropping of packets

[Guy Harris <gharris () sonic net>]

>  I have seen that tcpdump will at the end of a trace give the number of
> packets that have been dropped by the kernel, but this does not seem to
> have any relation to packets being discarded because of their malicious
> nature.

You are correct - it doesn't have any relation to that.

It's the number of packets dropped *by the mechanism tcpdump is using
to capture packets*.  I.e., it's the number of packets that would have
been delivered *to tcpdump* by that mechanism, but that were dropped
because, for example, tcpdump wasn't running fast enough to capture
them.

> I am running Red Hat, and I would like to know which process in the OS
> that takes care of discarding.  If TCPdump is interacting with the
> protocol stack via the application layer, should it not be the case that
> TCPdump should not be able to sniff malicious datagrams as they should
> have been discarded by the network layer already?

No, because tcpdump doesn't interact with the protocol stack in that
fashion.  The exact way it does so depends on the OS you're using, but,
for example, on Linux, it interacts with the protocol stack by using
PF_PACKET sockets (see the PACKET(7) man page); the path from the
network interface driver to a PF_PACKET socket is different from the
path from the network interface driver to network-layer code such as the
IPv4 or IPv6 code, and even if the network-layer code discards malicious
datagrams, it's only discarding the copy sent to it - the copy sent to
PF_PACKET sockets won't be discarded.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe