On Jul 4, 2010, at 7:15 AM, bored to death wrote:
> i'm having quite a problem with tcpdump 4.0.0
Combine the previous sentence and the subject line - at this point, you're
comparing libpcap 0.9.8+tcpdump 3.9.8 with libpcap 1.0.0+tcpdump 4.0.0, and the
problem could be caused by libpcap 1.0.0, tcpdump 4.0.0, or the combination of
them.
I doubt that it's tcpdump 4.0.0's problem, but the first thing you should try
is to build the same version of tcpdump - 3.9.8 or 4.0.0 - with both versions
of libpcap, and see what happens. (libpcap and tcpdump are released together,
but tcpdump is supposed to be able to work with versions of libpcap other than
the one with which it was released.)
> i'm trying to dump gigabit network traffic to file with tcpdump. at first, i
> was on Debian 5. i had tcpdump 3.9.8 (uses libpcap 0.9.8) installed and with
> upgrading network-related parameters of kernel, i had no packet drop and
> everything was fine. but then i installed tcpdump 4.0.0 (which uses libpcap
> 1.0) and this caused a huge packet drop in my receive. (in 700Mb tcp traffic,
> 1 out of 3 packets were being dropped)
> i installed and checked dumpcap (comes with wireshark) and realized wireshark
> 1.2.6 which is built with libpcap 0.9.8 doesn't have packet drop, but
> wireshark 1.2.7 which is built with libpcap 1.0 has the same problem and
> packets are hugely being dropped. (i'm not sure about wireshark versions)
Are those versions of dumpcap linked statically, or dynamically, with libpcap?
What happens if you run both versions of dumpcap with the -v flag?
> so does libpcap 1.0 really have this bad bug or i'm doing something wrong?
>
> also, i tested tcpdump 3.9.7(with libpcap 0.9.7) and tcpdump 4.0.0 (with
> libpcap 1.0) on FreeBSD 8.0 (700Mb tcp traffic) and result was almost the
> same. (packet drop with tcpdump 4.0 was 6 times more than tcpdump 3.9.7,
> though here i couldnt make tcpdump 3.9.7 to dump with zero packet loss)
The biggest difference between libpcap 0.9.8 and libpcap 1.0.0 on both Linux
and FreeBSD is that, in both cases, libpcap 1.0.0 supports a memory-mapped
interface but libpcap 0.9.8 doesn't. I wouldn't expect that to make things
*worse*, but, just because one might *expect* the memory-mapped interface to
work better, that doesn't mean it *will* work better.
If, after you try this with the tcpdump version held constant (which it
probably will be, as per my comment above, and as the same issue is showing up
with Wireshark), it's a libpcap issue rather than a tcpdump issue, try tweaking
pcap-linux.c and pcap-bpf.c in libpcap 1.0.0 to disable the memory-mapped
interface:
for Linux, after running the configure script, get rid of the
definition of HAVE_PACKET_RING in config.h;
for FreeBSD, after running the configure script, get rid of the
definition of HAVE_ZEROCOPY_BPF in config.h;
and rebuild.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
