On a sniffer computer (P4 1.6GHz with 368MB ram running ubuntu without X server) which is equipped with a gigabit card and connected to the gigabit port set to mirror other ports on a cluster switch (all other ports on the switch are ordinary 10/100M), I am tying to capture tcp packets:
sudo nice -20 tcpdump -v -s0 -i eth1 -w /tmp/stuff.pcap tcp where eth1 is the gigabit port and /tmp is mounted on tmpfs (ramdisk) to avoid delays. I only run this command on console and I have turn off X server and any other unnecessary services to decrease delay (I checked wtih ps aux However when there is a lot of packets, tcp dump reports some packet dropped (e.g. 200-300 packets per 60000 packets) "by the kernel". Then I ran ifconfig eth1 and it says no packets were dropped (does it mean that no packets were dropped within the network card?) Now can you see where the packet is dropped in the kernel (is it because the buffer is not big enough?) and how can I eliminate packet drops? Thanks! - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
