Date: Wed, 07 Jun 2006 20:28:44 -0400 From: Chuck Swiger <cswiger@mac.com> To: Paul Schmehl <pauls@utdallas.edu> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Tcpdump dropping packets Message-ID: <44876F3C.9020409@mac.com> In-Reply-To: <4487245C.6070807@utdallas.edu> References: <4487245C.6070807@utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schmehl wrote: > I'm fiddling around with ntop, but, after an initial packet capture, it > doesn't capture any more traffic. It claims that libpcap is dropping > all the packets. > > If I run tcpdump like this: > > tcpdump -i <interface> > > I get this: > > 15 packets captured > 51104 packets received by filter > 50288 packets dropped by kernel > > If I run tcpdump like this: > > tcpdump -i <interface> -w filename > > I get this: > > 65235 packets captured > 65489 packets received by filter > 0 packets dropped by kernel > > Is there a sysctl tweak that can at least reduce the packet loss? Is > there a setting in ntop that I'm missing? tcpdump can write to a file for decoding later much more efficiently than it can deal with live processing, DNS lookups, etc. You can help matters out slightly by increasing the underlying PCAP/BPF buffer size or by filtering out all but the traffic you want to see. Check sysctl debug.bpf_bufsize, but also do a search on this because there may be a patch needed for PCAP in order for buffers larger than 32K to actually work. [1] > If I send tcpdump to a file, can ntop read the file continuously? Or > will it only read it one time? Dunno. I recall that ntop-1 was much more useful and stable than the current ntop seems to be... -- -Chuck [1]: Or has that been fixed?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44876F3C.9020409>