From owner-freebsd-questions@FreeBSD.ORG  Thu May 15 12:16:49 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2E05E37B401
	for <questions@freebsd.org>; Thu, 15 May 2003 12:16:49 -0700 (PDT)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7B24D43F3F
	for <questions@freebsd.org>; Thu, 15 May 2003 12:16:48 -0700 (PDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.12.9/8.12.9) id h4FJGkRt014833;
	Thu, 15 May 2003 14:16:46 -0500 (CDT)
	(envelope-from dan)
Date: Thu, 15 May 2003 14:16:46 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: David Smithson <david@customfilmeffects.com>
Message-ID: <20030515191646.GK23782@dan.emsphone.com>
References: <1053023794.23535.40.camel@blargh.customfilmeffects.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1053023794.23535.40.camel@blargh.customfilmeffects.com>
X-OS: FreeBSD 5.1-BETA
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.4i
cc: questions@freebsd.org
Subject: Re: N! packets dropped by kernel
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2003 19:16:49 -0000

In the last episode (May 15), David Smithson said:
> Hi.  I have a situation which may or may not be a problem.  Here's my ip
> configuration:
> 
> nge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         media: Ethernet autoselect (1000baseTX <full-duplex>)
> nge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         media: Ethernet autoselect (1000baseTX <full-duplex>)
> 
> I've been monitoring net traffic with tcpdump.  Most traffic is SMB
> and NMB.  Tcpdump reports a very high dropped:received packet ratio. 
> For example, a few second of capture during peak traffic returns:
> 
> 34964 packets received by filter
> 34085 packets dropped by kernel
> 
> Should I be concerned?  I'll include full tcpdumps on both interfaces if
> necessary.  Thanks for your time.

It means you need a faster CPU :)  Tcpdump was only able to display
half the packets it got, and the kernel had to drop the rest. 
Depending on what you're doing, writing to a file (-w logfile.txt),
grabbing less bytes per packet (-s), limiting which packets to display
(with a tighter filter expression), or raising the in-kernel buffersize
(sysctl debug.bpf_bufsize) may work as well.

I'm capturing (not decoding; just writing to disk) packets from four
fxp interfaces on a 586-200 (no MMX even!), and my CPU load doesn't go
over 10%.  A machine 10x faster should be able to monitor two
interfaces 10x the speed of mine with no problems.

-- 
	Dan Nelson
	dnelson@allantgroup.com