From owner-freebsd-questions@FreeBSD.ORG Thu Jun 8 02:44:54 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C33CA16B080 for ; Thu, 8 Jun 2006 00:28:56 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2506743D4C for ; Thu, 8 Jun 2006 00:28:56 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin02-en2 [10.13.10.147]) by smtpout.mac.com (Xserve/8.12.11/smtpout15/MantshX 4.0) with ESMTP id k580StnS011317; Wed, 7 Jun 2006 17:28:55 -0700 (PDT) Received: from [192.168.1.251] (pool-68-160-201-170.ny325.east.verizon.net [68.160.201.170]) (authenticated bits=0) by mac.com (Xserve/smtpin02/MantshX 4.0) with ESMTP id k580SrHb017358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Jun 2006 17:28:54 -0700 (PDT) Message-ID: <44876F3C.9020409@mac.com> Date: Wed, 07 Jun 2006 20:28:44 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: Paul Schmehl References: <4487245C.6070807@utdallas.edu> In-Reply-To: <4487245C.6070807@utdallas.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions Subject: Re: Tcpdump dropping packets X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 02:44:54 -0000 Paul Schmehl wrote: > I'm fiddling around with ntop, but, after an initial packet capture, it > doesn't capture any more traffic. It claims that libpcap is dropping > all the packets. > > If I run tcpdump like this: > > tcpdump -i > > I get this: > > 15 packets captured > 51104 packets received by filter > 50288 packets dropped by kernel > > If I run tcpdump like this: > > tcpdump -i -w filename > > I get this: > > 65235 packets captured > 65489 packets received by filter > 0 packets dropped by kernel > > Is there a sysctl tweak that can at least reduce the packet loss? Is > there a setting in ntop that I'm missing? tcpdump can write to a file for decoding later much more efficiently than it can deal with live processing, DNS lookups, etc. You can help matters out slightly by increasing the underlying PCAP/BPF buffer size or by filtering out all but the traffic you want to see. Check sysctl debug.bpf_bufsize, but also do a search on this because there may be a patch needed for PCAP in order for buffers larger than 32K to actually work. [1] > If I send tcpdump to a file, can ntop read the file continuously? Or > will it only read it one time? Dunno. I recall that ntop-1 was much more useful and stable than the current ntop seems to be... -- -Chuck [1]: Or has that been fixed?