Re: libpcap 1.0 huge packet drop?

[Guy Harris <guy () alum mit edu>]

On Jul 4, 2010, at 7:15 AM, bored to death wrote:

> i'm having quite a problem with tcpdump 4.0.0

Combine the previous sentence and the subject line - at this point, you're comparing libpcap 0.9.8+tcpdump 3.9.8 with 
libpcap 1.0.0+tcpdump 4.0.0, and the problem could be caused by libpcap 1.0.0, tcpdump 4.0.0, or the combination of 
them.

I doubt that it's tcpdump 4.0.0's problem, but the first thing you should try is to build the same version of tcpdump - 
3.9.8 or 4.0.0 - with both versions of libpcap, and see what happens.  (libpcap and tcpdump are released together, but 
tcpdump is supposed to be able to work with versions of libpcap other than the one with which it was released.)

> i'm trying to dump gigabit network traffic to file with tcpdump. at first, i was on Debian 5. i had tcpdump 3.9.8 
> (uses libpcap 0.9.8) installed and with upgrading network-related parameters of kernel, i had no packet drop and 
> everything was fine. but then i installed tcpdump 4.0.0 (which uses libpcap 1.0) and this caused a huge packet drop 
> in my receive. (in 700Mb tcp traffic, 1 out of 3 packets were being dropped)
> i installed and checked dumpcap (comes with wireshark) and realized wireshark 1.2.6 which is built with libpcap 0.9.8 
> doesn't have packet drop, but wireshark 1.2.7 which is built with libpcap 1.0 has the same problem and packets are 
> hugely being dropped. (i'm not sure about wireshark versions)

Are those versions of dumpcap linked statically, or dynamically, with libpcap?  What happens if you run both versions 
of dumpcap with the -v flag?

> so does libpcap 1.0 really have this bad bug or i'm doing something wrong?
>
> also, i tested tcpdump 3.9.7(with libpcap 0.9.7) and tcpdump 4.0.0 (with libpcap 1.0) on FreeBSD 8.0 (700Mb tcp 
> traffic) and result was almost the same. (packet drop with tcpdump 4.0 was 6 times more than tcpdump 3.9.7, though 
> here i couldnt make tcpdump 3.9.7 to dump with zero packet loss)

The biggest difference between libpcap 0.9.8 and libpcap 1.0.0 on both Linux and FreeBSD is that, in both cases, 
libpcap 1.0.0 supports a memory-mapped interface but libpcap 0.9.8 doesn't.  I wouldn't expect that to make things 
*worse*, but, just because one might *expect* the memory-mapped interface to work better, that doesn't mean it *will* 
work better.

If, after you try this with the tcpdump version held constant (which it probably will be, as per my comment above, and 
as the same issue is showing up with Wireshark), it's a libpcap issue rather than a tcpdump issue, try tweaking 
pcap-linux.c and pcap-bpf.c in libpcap 1.0.0 to disable the memory-mapped interface:

        for Linux, after running the configure script, get rid of the definition of HAVE_PACKET_RING in config.h;

        for FreeBSD, after running the configure script, get rid of the definition of HAVE_ZEROCOPY_BPF in config.h;

and rebuild.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.