Re: [Libpcap] Linux ps_drop()

[Guy Harris <guy () alum mit edu>]

On Oct 10, 2011, at 8:28 PM, Jon Schipp wrote:

> I'm going through some past mailing lists posts and I found this, which may
> have answered my question on where libpcap on Linux gets its drop count:
> http://seclists.org/tcpdump/2010/q3/46
>
> "You have a recent version of libpcap, and a recent kernel, so pcap_stats()
> should be getting the dropped-packet statistics by calling
> getsockopt(PF_PACKET socket, SOL_PACKET, PACKET_STATISTICS, &statistics
> buffer, ...). The PF_PACKET socket code should increment the count of
> dropped packets any time it fails to put a packet into the buffer because
> the buffer is full."
>
> Is this still true?

"[If] you have a recent version of libpcap, and a recent kernel, [then] pcap_stats() should be getting the 
dropped-packet statistics by calling..." is still true as of the top-of-Git-trunk code today; we have not changed it 
and have no reason to change it.

"The PF_PACKET socket code [increments] the count of dropped packets any time it fails to put a packet into the buffer 
because the buffer is full." appears to be true at least as of

        http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob_plain;f=net/packet/af_packet.c;hb=HEAD

Is there a reason why you might think it's no longer true?-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.