Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mysterious packet loss during capture

From: <Tim.Poth () bentley com>
Date: Fri, 9 Oct 2009 16:47:41 -0400
Do you have another box you could try, maybe there is something with that hardware under linux? I think I would try 
ether a different NIC under linux or a windows box just to see how things change
Hope that helps
tim

-----Original Message-----
From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of gkrames 
() gmx net
Sent: Friday, October 09, 2009 4:12 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Mysterious packet loss during capture

Thanks, but "-n" is already in use (sorry I forgot to mention this 
detail). Also it would not explain packet loss by dumpcap.

New observation: Packet loss is reduced using "-w /dev/null",
but it is still there.

Gerfl


Abhijit Bare schrieb:

If you have dns lookups on (converting IP addresses to hostnames) during 
packet captures, packet losses might occur. Try without dns lookups - 
tcpdump "-n" on Linux

- Abhijit

On Thu, Oct 8, 2009 at 1:58 PM, <gkrames () gmx net 
<mailto:gkrames () gmx net>> wrote:

    Hi all,

    I am fighting for a while now with occasional packet loss during
    capture in promiscous mode.
    Environment: Linux 2.6.27, 32 bit, NIC e1000e, 100MBit network with
    4MBit/s actual traffic (4%), wireshark 1.2.2;
    the capturing PC has <5% CPU load and >1 GB free phys. memory).

    My test case captures 100K packets (using the -c) option.
    A random number of packets is dropped (about 20..2000) with ever run.

    tcpdump, dumpcap, tshark, and wireshark show this behaviour.
    Interestingly, tcpdump says "nn packets dropped by kernel".
    So this is most likely a kernel/network stack problem.

    Trials playing with some kernel sysctl parameters
    (increasing various buffer sizes, decreasing sheduler granularity
    and others) has not improved anything so far.

    ethtool -G eth0 rx-usecs 250 (or 125), limitting interrupts
    to 4000 or 8000 /sec, has reduced the packet loss but still it is
    there.

    Any ideas what else I could try?
    Also any hint would be appreciated how to find out why the kernel
    decides to drop some packets.

    Thanks,
    Gerfl






    --
    Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla
    Firefox 3.5 -
    sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
    ___________________________________________________________________________
    Sent via:    Wireshark-users mailing list
    <wireshark-users () wireshark org <mailto:wireshark-users () wireshark org>>
    Archives:    http://www.wireshark.org/lists/wireshark-users
    Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
                mailto:wireshark-users-request () wireshark org
    <mailto:wireshark-users-request () wireshark org>?subject=unsubscribe




___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: