Ethereal-users: Re: [Ethereal-users] tcpdump question... they have no user mailing list :(

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Sat, 18 Mar 2006 12:24:42 -0800
George P Nychis wrote:
Sorry for a question that is not ethereal, but its related and TCPDUMP doesn't have a user mailing list, only a developer mailing 
list,
tcpdump-workers@xxxxxxxxxxx is both a user and a developer mailing list for tcpdump. (It's also a user and developer mailing list for libpcap.) 


After I ran tcpdump for 2 days with heavy traffic, i got: tcpdump:
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
102591563 packets captured 210400699 packets received by filter 5217573 packets dropped by kernel 

What I am interested in is the "5217573 packets dropped by kernel"
Are these packets outgoing, incoming, or both?
Unknown - there aren't separate counts kept for dropped incoming and outcoming packets. 


If so, does that mean
the application created data, passed it down to the kernel to be put
on the link, and the kernel could not handle all the packets and
simply dropped them?
It means that a packet was either received or transmitted, and handed to the kernel mechanism used for packet capture, and that mechanism didn't have enough buffer space for it, so it wasn't supplied to tcpdump.
It says nothing about whether the packet was dropped by the regular OS mechanism for transmitting or receiving packets; it probably wasn't - it was just dropped by the mechanism tcpdump used to capture traffic (which is the same mechanism Ethereal and Tethereal and snort and... use).