On Sep 8, 2008, at 6:27 AM, lei wei wrote:
By "unacceptable", I mean the number of packets that tcpdump
processed was
only a fraction
of that of it received. I assume that "Number of Packets received by
filter"
are the packets were
matched by the filter expression,
No.
On systems with BPF (including all versions of FreeBSD, including 6.0
and 7.0, and with all versions of libpcap), "Number of Packets
received by filter" is the number of packets that were handed to the
filter to match, *including packets that were not matched by the
filter expression*.
On some other systems (e.g., Linux), it's the number of packets that
passed the filter, regardless of whether they were dropped because the
system ran out of buffer space.
so with a filter, tcpdump can only process
3984 out of 1091656
ip packets....
So, with a filter, tcpdump was only handed 3984 packets out of 1091656
packets.
Note that "ip" means IPv4, not IPv4 and IPv6; if most of the traffic
on your network is either non-IP traffic (note that ARP traffic is not
IP traffic) or IPv6 traffic, a filter of "ip" will filter out most of
the traffic received.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
