tcpdump mailing list archives
Re: Output goes weird!
From: Justin Robinson <csmjmr () bath ac uk>
Date: Mon, 15 Sep 2003 00:08:20 +0100
The reason I want to increase it is because I keep dropping loads of packets. Half the packets are being dropped on a machine that is supposed to have server specs. I'm talking about increasing size of the buffer the kernel uses for capturing packets, not the snap length. ----- Original Message ----- From: "David Chang" <dchang () fsautomation com> To: "Justin Robinson" <csmjmr () bath ac uk> Sent: Tuesday, January 15, 2002 5:43 AM Subject: Re: [tcpdump-workers] Output goes weird!
Justin, My understanding is the capture buffer is quite large. Why do you want to increase it? If you're referring to the individual packet capture buffer (i.e.
'caplen'),
you do it in pcap_open_live(). For example: handle = pcap_open_live(device, MAX_PACKET_SIZE, mode, 500, err_buf); and set MAX_PACKET_SIZE to something like 4K. I read a tutorial that used BUFSIZ for the caplen, which is OK on most systems, but in Solaris, BUFSIZ was only 1024 and that's smaller than the MTU on Ethernet networks, so some packets were truncated. Maybe that's what's happening to you in FreeBSD. DC ----- Original Message ----- From: "Justin Robinson" <csmjmr () bath ac uk> To: <tcpdump-workers () tcpdump org> Sent: Saturday, September 13, 2003 3:00 AM Subject: Fw: [tcpdump-workers] Output goes weird!Hi How would I go about increasing the buffer size on FreeBSD? I've read
lots
about it but I'm not quite sure how you do it. Do I have to change the pcap source and recompile. If so... how do I dothisplease? Thanks in advance Regards Justin ----- Original Message ----- From: <csmjmr () bath ac uk> To: "Guy Harris" <guy () alum mit edu> Cc: <tcpdump-workers () tcpdump org>; "Michael Richardson" <mcr () sandelman ottawa on ca> Sent: Friday, September 12, 2003 10:11 AM Subject: Re: [tcpdump-workers] Output goes weird!HiThe non-printable characters problem is fixed. I fixed it by setting the snaplen to 2048.That's not a fix, that just hides the problem - your program should, for safety's sake, check the "caplen" field of the pcap_pkthdr structure, and not look at any bytes past that length. (Yes, ifyou'recapturing on a network where packets are never > 2048 bytes, you *should* be safe - but, just in case the packet is somehow
malformed,
you should *still* do that check.)I see - Ok... I will add this check (or at least write about it :o))The packet dropping is a separate problem. I used TCPDUMP to tell me wether packets were being dropped... at the end where it gives number received and number dropped bykernel.Are you using a packet filter expression when capturing? I.e., does your program do a "pcap_compile()" and a "pcap_setfilter()"?Yes I'm applying a filter with pcap_compile() and then
pcap_setfilter().
Justin - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe usemailto:tcpdump-workers-request () tcpdump org?body=unsubscribe- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe usemailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- Re: Output goes weird!, (continued)
- Re: Output goes weird! Justin Robinson (Sep 10)
- Re: Output goes weird! Guy Harris (Sep 10)
- Re: Output goes weird! (Sep 11)
- Re: Output goes weird! Guy Harris (Sep 11)
- Re: Output goes weird! (Sep 11)
- Re: Output goes weird! Guy Harris (Sep 11)
- Re: Output goes weird! (Sep 12)
- Re: Output goes weird! Justin Robinson (Sep 10)
- Re: Output goes weird! Michael Richardson (Sep 11)
- Message not available
- Re: Output goes weird! Justin Robinson (Sep 14)
- Re: Output goes weird! Richard Sharpe (Sep 14)