Re: Output goes weird!

[Justin Robinson <csmjmr () bath ac uk>]

The reason I want to increase it is because I keep dropping loads of
packets.
Half the packets are being dropped on a machine that is supposed to have
server specs.

I'm talking about increasing size of the buffer the kernel uses for
capturing packets, not the snap length.

----- Original Message -----
From: "David Chang" <dchang () fsautomation com>
To: "Justin Robinson" <csmjmr () bath ac uk>
Sent: Tuesday, January 15, 2002 5:43 AM
Subject: Re: [tcpdump-workers] Output goes weird!


> Justin,
>
> My understanding is the capture buffer is quite large.  Why do you want to
> increase it?
>
> If you're referring to the individual packet capture buffer (i.e.
'caplen'),
> you do it in pcap_open_live().
>
> For example:
>
>         handle = pcap_open_live(device, MAX_PACKET_SIZE, mode, 500,
> err_buf);
>
> and set MAX_PACKET_SIZE to something like 4K.
>
> I read a tutorial that used BUFSIZ for the caplen, which is OK on most
> systems, but in Solaris, BUFSIZ was only 1024 and that's smaller than the
> MTU on Ethernet networks, so some packets were truncated.  Maybe that's
> what's happening to you in FreeBSD.
>
> DC
>
> ----- Original Message -----
> From: "Justin Robinson" <csmjmr () bath ac uk>
> To: <tcpdump-workers () tcpdump org>
> Sent: Saturday, September 13, 2003 3:00 AM
> Subject: Fw: [tcpdump-workers] Output goes weird!
>
>
> > Hi
> >
> > How would I go about increasing the buffer size on FreeBSD? I've read
lots
> > about it but I'm not quite sure how
> > you do it.
> >
> > Do I have to change the pcap source and recompile. If so... how do I do
> this
> > please?
> >
> > Thanks in advance
> > Regards
> > Justin
> >
> >
> > ----- Original Message -----
> > From: <csmjmr () bath ac uk>
> > To: "Guy Harris" <guy () alum mit edu>
> > Cc: <tcpdump-workers () tcpdump org>; "Michael Richardson"
> > <mcr () sandelman ottawa on ca>
> > Sent: Friday, September 12, 2003 10:11 AM
> > Subject: Re: [tcpdump-workers] Output goes weird!
> >
> >
> > > Hi
> > >
> > > > > The non-printable characters problem is fixed.
> > > > > I fixed it by setting the snaplen to 2048.
> > > >
> > > > That's not a fix, that just hides the problem - your program should,
> > > > for safety's sake, check the "caplen" field of the pcap_pkthdr
> > > > structure, and not look at any bytes past that length.  (Yes, if
> you're
> > > > capturing on a network where packets are never > 2048 bytes, you
> > > > *should* be safe - but, just in case the packet is somehow
malformed,
> > > > you should *still* do that check.)
> > >
> > > I see - Ok... I will add this check (or at least write about it :o))
> > >
> > > > > The packet dropping is a separate problem.
> > > > > I used TCPDUMP to tell me wether packets were being dropped...
> > > > > at the end where it gives number received and number dropped by
> > kernel.
> > > > Are you using a packet filter expression when capturing?  I.e., does
> > > > your program do a "pcap_compile()" and a "pcap_setfilter()"?
> > >
> > > Yes I'm applying a filter with pcap_compile() and then
pcap_setfilter().
> > > Justin
> > > -
> > > This is the TCPDUMP workers list. It is archived at
> > > http://www.tcpdump.org/lists/workers/index.html
> > > To unsubscribe use
> > mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
> > >
> >
> >
> > -
> > This is the TCPDUMP workers list. It is archived at
> > http://www.tcpdump.org/lists/workers/index.html
> > To unsubscribe use
> mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
> >


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe