> Recently I've been investigating why tcpdump on my IDS shows quite a few > packets as being dropped. I think this is because my traffic to the IDS is > fed through a hub where I know there are many collisions (there may be too > many packets per second for the little soho 10/100 hub to handle). I'm not > sure how tcpdump handles collisions, and so I don't know if this is even a > problem or not.
I sense some fundamental misunderstandings here. Basically: A collision on half duplex media (such as a hub) is a *normal* and *expected* occurence, and does *not* cause a packet to be dropped. Note that this does not apply to "late collisions" which are quite different - late collisions are signs of *error* (for instance a duplex mismatch). > Is there a way to get more fine grained statistics on why packets are > dropped, and would collisions coming in off a hub be shown as dropped? I'm > seeing a traffic feed of roughly 4000-5000 packets per second and about 1000 > collisions per minute, so I don't think that the rate of traffic is the > cause of my problem. 1000 collisions per minute with 4000-5000 pps is a very *low* collision rate. > If the dropped packets being displayed are just the collisions from the hub > then it's no big deal, but if it's something else I'd like to try and fix it > of course. I expect your dropped packets are due to something else. But you should definitely check for late collisions. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
