Paul Schmehl wrote:
I'm fiddling around with ntop, but, after an initial packet capture, it
doesn't capture any more traffic. It claims that libpcap is dropping
all the packets.
Advertising
If I run tcpdump like this:
tcpdump -i <interface>
I get this:
15 packets captured
51104 packets received by filter
50288 packets dropped by kernel
If I run tcpdump like this:
tcpdump -i <interface> -w filename
I get this:
65235 packets captured
65489 packets received by filter
0 packets dropped by kernel
Is there a sysctl tweak that can at least reduce the packet loss? Is
there a setting in ntop that I'm missing?
tcpdump can write to a file for decoding later much more efficiently than it
can deal with live processing, DNS lookups, etc. You can help matters out
slightly by increasing the underlying PCAP/BPF buffer size or by filtering out
all but the traffic you want to see.
Check sysctl debug.bpf_bufsize, but also do a search on this because there may
be a patch needed for PCAP in order for buffers larger than 32K to actually
work. [1]
If I send tcpdump to a file, can ntop read the file continuously? Or
will it only read it one time?
Dunno. I recall that ntop-1 was much more useful and stable than the current
ntop seems to be...
--
-Chuck
[1]: Or has that been fixed?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"