RE: [Ntop] dropped - over 100%?

Burton Strauss Wed, 08 Dec 2004 07:49:29 -0800

To elaborate. (No, I'm not talking to myself) (Yes you are) (Shut up!)

If you dig into the libpcap code in the area of the stats, you will find
yourself baying at the moon, growing hair on the back of your hands and
doing various anti-social acts.


Essentially, the whole purpose of these blocks of code is to try and report
rationally that which is simply not rational.  Ultimately libpcap can't do
better than whatever the underlying OS does.  Which is different from OS to
OS and even release to release.  So "drops" means different things.

So for example, pcap_linux.c:

/*
 *  Get the statistics for the given packet capture handle.
 *  Reports the number of dropped packets iff the kernel supports
 *  the PACKET_STATISTICS "getsockopt()" argument (2.4 and later
 *  kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket
 *  patches); otherwise, that information isn't available, and we lie
 *  and report 0 as the count of dropped packets.
 */

Vs. this in pcap_nit.c:

        /*
         * "ps_recv" counts packets handed to the filter, not packets
         * that passed the filter.  As filtering is done in userland,
         * this does not include packets dropped because we ran out
         * of buffer space.
         *
         * "ps_drop" presumably counts packets dropped by the socket
         * because of flow control requirements or resource exhaustion;
         * it doesn't count packets dropped by the interface driver.
         * As filtering is done in userland, it counts packets regardless
         * of whether they would've passed the filter.
         *
         * These statistics don't include packets not yet read from the
         * kernel by libpcap or packets not yet read from libpcap by the
         * application.
         */

Etc.

-----Burton 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Burton Strauss
Sent: Wednesday, December 08, 2004 9:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] dropped - over 100%?

Move up to libpcap 0.8.x - it won't fix things, but it does report them more
rationally.
-----Burton 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi
Evron
Sent: Wednesday, December 08, 2004 8:23 AM
To: [EMAIL PROTECTED]
Subject: Re: [Ntop] dropped - over 100%?

Nick Weaver wrote:
> 
> Need more info...such as
> 
> 1. OS

RH ent 3.

> 2. Libcap version

0.7.2-7

> 3. NTOP version

3.0

Thanks'

        Gadi.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

RE: [Ntop] dropped - over 100%?

Reply via email to