tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: elimininating dropping of packets by the kernel during packet capture

From: "Nguyen Huy Ha" <ha.h.ngu () gmail com>
Date: Mon, 28 May 2007 13:10:27 +0200
If the probelm is limited buffer, I suggest you check this artical:
http://www.net.t-labs.tu-berlin.de/research/hppc/

It is said that you can change the kernel configuration to get 600Mbps
without losses. I haven't try it since changing the buffer works for me, I
only need to capture 50Mbps.

Br.

On 5/26/07, Code Master <cpp.codemaster () gmail com> wrote:


On a sniffer computer (P4 1.6GHz with 368MB ram running  ubuntu without X
server) which is equipped with a gigabit card and connected to the gigabit
port set to mirror other ports on a cluster switch (all other ports on the
switch are ordinary 10/100M), I am tying to capture tcp packets:

sudo nice -20 tcpdump -v -s0 -i eth1 -w /tmp/stuff.pcap tcp

where eth1 is the gigabit port and /tmp is mounted on tmpfs (ramdisk) to
avoid delays.  I only run this command on console and I have turn off X
server and any other unnecessary services to decrease delay (I checked
wtih
ps aux

However when there is a lot of packets, tcp dump reports some packet
dropped
(e.g. 200-300 packets per 60000 packets) "by the kernel".

Then I ran

ifconfig eth1

and it says no packets were dropped (does it mean that no packets were
dropped within the network card?)

Now can you see where the packet is dropped in the kernel (is it because
the
buffer is not big enough?) and how can I eliminate packet drops?

Thanks!
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: