tcpdump mailing list archives

Re: How tcpdump determines the "dropped by kernel"?

From: Guy Harris <guy () alum mit edu>
Date: Mon, 25 Nov 2013 11:28:53 -0800


On Nov 25, 2013, at 11:01 AM, Eliezer Croitoru <eliezer () ngtech co il> wrote:

I am running Linux on couple systems: Gentoo, Ubuntu 10.04+newers, CentOS.


What kernel version?

On the ubuntu that I am using now:
tcpdump version 4.4.0
libpcap version 1.4.0

On the CentOS it's the exact same version output:


If you're running on a system with a 3.2 or later kernel, then, if you use libpcap built from the current Git trunk, it 
can use version 3 of the memory-mapped capture mechanism (TPACKET_V3), which makes more efficient use of the capture 
mechanism's buffers than do earlier versions of that mechanism (TPACKET_V1 and TPACKET_V2), resulting in fewer packet 
drops.

So In a case there is not much ram limitation for the machine I would thing that an option to use more ram for these 
buffers can be an option.


Yes - that's what the -B flag to tcpdump lets you do.  (The default is 2MB on Linux.)

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers

Current thread:

How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 24)
- Re: How tcpdump determines the "dropped by kernel"? Anders Broman (Nov 25)
  - Message not available
    - Re: How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 25)
- Re: How tcpdump determines the "dropped by kernel"? Guy Harris (Nov 25)
  - Re: How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 25)
    - Re: How tcpdump determines the "dropped by kernel"? Guy Harris (Nov 25)
    - Re: How tcpdump determines the "dropped by kernel"? Eliezer Croitoru (Nov 25)