Tcpdump dropping packets
Chuck Swiger
cswiger at mac.com
Thu Jun 8 02:44:54 UTC 2006
Paul Schmehl wrote:
> I'm fiddling around with ntop, but, after an initial packet capture, it
> doesn't capture any more traffic. It claims that libpcap is dropping
> all the packets.
>
> If I run tcpdump like this:
>
> tcpdump -i <interface>
>
> I get this:
>
> 15 packets captured
> 51104 packets received by filter
> 50288 packets dropped by kernel
>
> If I run tcpdump like this:
>
> tcpdump -i <interface> -w filename
>
> I get this:
>
> 65235 packets captured
> 65489 packets received by filter
> 0 packets dropped by kernel
>
> Is there a sysctl tweak that can at least reduce the packet loss? Is
> there a setting in ntop that I'm missing?
tcpdump can write to a file for decoding later much more efficiently than it
can deal with live processing, DNS lookups, etc. You can help matters out
slightly by increasing the underlying PCAP/BPF buffer size or by filtering out
all but the traffic you want to see.
Check sysctl debug.bpf_bufsize, but also do a search on this because there may
be a patch needed for PCAP in order for buffers larger than 32K to actually
work. [1]
> If I send tcpdump to a file, can ntop read the file continuously? Or
> will it only read it one time?
Dunno. I recall that ntop-1 was much more useful and stable than the current
ntop seems to be...
--
-Chuck
[1]: Or has that been fixed?
More information about the freebsd-questions
mailing list