On Oct 10, 2011, at 8:28 PM, Jon Schipp wrote:
> I'm going through some past mailing lists posts and I found this, which may
> have answered my question on where libpcap on Linux gets its drop count:
> http://seclists.org/tcpdump/2010/q3/46
>
> "You have a recent version of libpcap, and a recent kernel, so pcap_stats()
> should be getting the dropped-packet statistics by calling
> getsockopt(PF_PACKET socket, SOL_PACKET, PACKET_STATISTICS, &statistics
> buffer, ...). The PF_PACKET socket code should increment the count of
> dropped packets any time it fails to put a packet into the buffer because
> the buffer is full."
>
> Is this still true?
"[If] you have a recent version of libpcap, and a recent kernel, [then]
pcap_stats() should be getting the dropped-packet statistics by calling..." is
still true as of the top-of-Git-trunk code today; we have not changed it and
have no reason to change it.
"The PF_PACKET socket code [increments] the count of dropped packets any time
it fails to put a packet into the buffer because the buffer is full." appears
to be true at least as of
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob_plain;f=net/packet/af_packet.c;hb=HEAD
Is there a reason why you might think it's no longer true?-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
