Date: Wed, 7 Aug 2002 18:20:37 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: "Balaji, Pavan" <pavan.balaji@intel.com> Cc: "'Patrick Thomas'" <root@utility.clubscholarship.com>, freebsd-questions@FreeBSD.ORG Subject: Re: tcpdump and dropped packet statistics Message-ID: <20020807232037.GA64413@dan.emsphone.com> In-Reply-To: <3D386AED1B47D411A94300508B11F18704AD69A4@fmsmsx116.fm.intel.com> References: <3D386AED1B47D411A94300508B11F18704AD69A4@fmsmsx116.fm.intel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Aug 07), Balaji, Pavan said:
> > What does it mean when you run tcpdump and you see this after
> > hitting ctrl-C :
> >
> > 5702 packets received by filter
> > 4395 packets dropped by kernel
> >
> > Is it just some nuance of tcpdump that I shouldn't care about, or
> > is my system actually dropping network packets (and then I should
> > care) ?
> >
> > thanks.
>
> Yes. It is something you should care. It just means that there is a
> lot of corruption of packets (from wherever you are transferring). I
> had this problem a couple of months back, and it turned out that my
> NIC was screwed up.
No. It means tcpdump is not able to process packets fast enough, and
had to drop packets sent to it by the kernel. Corrupt packets don't
even make it to the kernel. NICs usually filter them out
automatically. There's a bit more info the the "bpf" manpage:
bs_drop the number of packets which were accepted by the
filter but dropped by the kernel because of buffer
overflows (i.e., the application's reads aren't
keeping up with the packet traffic).
Try grabbing less bytes if you are using -s, or write to SCSI instead
of IDE disks if you are writing to a file.
--
Dan Nelson
dnelson@allantgroup.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020807232037.GA64413>