From owner-freebsd-net@FreeBSD.ORG Wed Sep 17 18:45:32 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77ECB16A4B3 for ; Wed, 17 Sep 2003 18:45:32 -0700 (PDT) Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 988AA43FAF for ; Wed, 17 Sep 2003 18:45:31 -0700 (PDT) (envelope-from vlm@netli.com) Received: (qmail 26901 invoked by uid 84); 18 Sep 2003 01:45:31 -0000 Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.149876 secs); 18 Sep 2003 01:45:31 -0000 Received: from unknown (HELO netli.com) (172.17.1.12) by mx01-pal-lan.netli.lan with SMTP; 18 Sep 2003 01:45:31 -0000 Message-ID: <3F690E7D.90201@netli.com> Date: Wed, 17 Sep 2003 18:46:37 -0700 From: Lev Walkin Organization: Netli, Inc. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Josh Brooks References: <20030917182850.Q52432-100000@mail.econolodgetulsa.com> In-Reply-To: <20030917182850.Q52432-100000@mail.econolodgetulsa.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org Subject: Re: I would like to tcpdump and get all the packets... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 01:45:32 -0000 Josh Brooks wrote: > Whenever I run: > > tcpdump -vvv > > when I am finished, I am surprised to see: > > 27441 packets received by filter > 7866 packets dropped by kernel > > I have pored over the tcpdump man page, but do not see how to tell it to > not drop any of the packets. > > What is the purpose behind this ? I can't think of any situation where I > would want to run tcpdump and not see certain things. > > The whole point of my tcpdump usage is to try to catch some malicious > traffic that I think is hitting my system - if it is dropping so many > packets, I might never see it! > > Many thanks - and also, just out of curiousity, what _is_ the situation in > which it helps to throw out 20% of the packets and not see them ? Would you want to de-prioritize tcpdump so if it can't process data quickly enough as the kernel receives them, the kernel would stop processing packets and wait tcpdump to finish? But seriously, there is a solution for your problem. Add a -n to your numerous -v's. You probably don't want to spend precious tcpdump's time to resolve IPs it captures, while losing data. -- Lev Walkin vlm@netli.com