packets dropped by kernel

[Jay Aikat <aikat () cs unc edu>]

Hi all,
        I have a question about reducing the "packets dropped by kernel"
while using tcpdump.  Any pointers or advice is much appreciated.

Here's our scenario:

 -- running FreeBSD 4.7, tcpdump version 3.7.1, libpcap version 0.7

 -- we're tracing a 1Gbps link, with a load of 184 Mbps on average.

 -- the machine running tcpdump is a 1.8GHz pentium with 1.2GB memory,
        36GB SCSI disks capable of 440 Mbps throughput.

So, here's our problem.  We see "packets dropped by kernel" around 0.03%
of the total packets seen by filter.  This happens when we use the "-w"
option to write to disk, but if we write to "/dev/null" instead, we see 
0 packets dropped.  

I realize this might make you decide that the disk is not keeping up, but
then we have confirmed disk throughput to be 440 Mbps.  Any ideas on what
might be causing these drops?  And how we could fix them?

Some related questions:

  -- we're using tcpdump to only capture the default 68 bytes of header;
        I assume tcpdump buffers a certain number of packet headers before
        writing to disk -- any idea what the default buffer is?

  -- if this is a buffer overflow problem, what buffers can we tune?
        We've tried increasing the bpfbufsize to several MB from the
        default 4K, but not much improvement due to that.  
        kern.ipc.nmbufs are set to 256K which is believe is the max.

Thanks for any leads to solve this problem.  Needless to say, we would
like to reduce the "packets dropped by kernel" to zero :)
Thanks!
--jay.



 =============================================================
 | Jay Aikat           Graduate Student & Research Assistant |
 | <aikat () cs unc edu>  <http://www.cs.unc.edu/~aikat/>       | 
 ============================================================= 



-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe