Re: tcpdump drop info?

[Guy Harris <guy () alum mit edu>]

On Wed, Apr 09, 2003 at 02:35:57PM -0700, Joe Elliott wrote:
>    I am interested in knowing how the accounting of packets is done and
> what this message means. Is the 280 unaccounted packets below just
> overrun as the socket is closed?

There's no socket involved, it's a BPF device, but, yes, that's what it
is.

On systems with BPF, such as the BSDs, the libpcap statistics come from
a BIOCGSTATS ioctl done on the BPF device being used for capturing.  The
count of packets received is incremented every time a network device
driver calls one of the BPF tap routines to supply a packet to BPF; that
happens before the packet is actually read, so, even if the program
using libpcap quits reading packets after the millionth packet, more
packets might arrive in between the point at which it reads the
millionth packet and the point at which it fetches the statistics from
the BPF device.

Note, BTW, that it counts packets *before* running the filter on them,
so if you did a capture with a filter, the "packets received by filter"
count would count packets that *don't* pass the filter as well as
packets that *do* pass the filter.

On other OSes, the count may be done in different places, and the
results may differ.

> Are they lost in the preamble at startup?

No, they're lost at the end.

> ie I asked for a million packets, dropped non, but the filter
> passed 280 more. Where did they go?

Into the BPF device's buffer, and then, when the BPF device is closed,
into the bit bucket when the buffer is closed.

Arguably, tcpdump should keep its *own* count of packets that it
actually processed, and report *that* count first.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe