Paul Schmehl wrote:
I'm fiddling around with ntop, but, after an initial packet capture, it doesn't capture any more traffic. It claims that libpcap is dropping all the packets.

If I run tcpdump like this:

tcpdump -i <interface>

I get this:

15 packets captured
51104 packets received by filter
50288 packets dropped by kernel

If I run tcpdump like this:

tcpdump -i <interface> -w filename

I get this:

65235 packets captured
65489 packets received by filter
0 packets dropped by kernel

Is there a sysctl tweak that can at least reduce the packet loss? Is there a setting in ntop that I'm missing?

tcpdump can write to a file for decoding later much more efficiently than it can deal with live processing, DNS lookups, etc. You can help matters out slightly by increasing the underlying PCAP/BPF buffer size or by filtering out all but the traffic you want to see.

Check sysctl debug.bpf_bufsize, but also do a search on this because there may be a patch needed for PCAP in order for buffers larger than 32K to actually work. [1]

If I send tcpdump to a file, can ntop read the file continuously? Or will it only read it one time?

Dunno. I recall that ntop-1 was much more useful and stable than the current ntop seems to be...


[1]: Or has that been fixed?
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to