Re: How tcpdump determines the "dropped by kernel"?

[Guy Harris <guy () alum mit edu>]

On Nov 24, 2013, at 5:04 PM, Eliezer Croitoru <eliezer () ngtech co il> wrote:

> Since I would not like to research tcpdump code I would like to get some help about it from others.
>
> So my kernel would declare on packets that was dropped but still the connection was OK and was not disrupted in any 
> way I can think about.
>
> What exactly this "drop by kernel" means?
> Is it dropped by kernel and was not handled by any application? or it means that the buffers of tcpdump got filled 
> and there-for was dropped by tcpdump?

It means that:

        tcpdump uses libpcap to do packet capture;

        libpcap uses some mechanism or driver in the OS kernel to do packet capture;

        that mechanism has, for each capture in progress on each network interface, buffers into which copies of 
packets are placed;

        if *those* buffers fill up, because tcpdump (or whatever application is capturing) isn't processing the packets 
fast enough, any packets that arrive while the buffers are full are not copied to a buffer for capturing on that 
interface.

That doesn't mean that the packets aren't delivered to the OS networking stack (or to other captures being done on the 
same device).

> In any case I would like to do a very big dump into a storage system on a very loaded system and which I would like 
> to not drop any packet by either the kernel or any other level if possible.
> In a case there are tuning to the system in couple layers I would like to at least minimize the drops from lots of 
> packets into a small amount of packets.

What OS are you capturing on, and what version of libpcap is tcpdump using (run "tcpdump -h" to get the libpcap 
version)?
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers