The reason I want to increase it is because I keep dropping loads of packets. Half the packets are being dropped on a machine that is supposed to have server specs.
I'm talking about increasing size of the buffer the kernel uses for capturing packets, not the snap length. ----- Original Message ----- From: "David Chang" <[EMAIL PROTECTED]> To: "Justin Robinson" <[EMAIL PROTECTED]> Sent: Tuesday, January 15, 2002 5:43 AM Subject: Re: [tcpdump-workers] Output goes weird! > Justin, > > My understanding is the capture buffer is quite large. Why do you want to > increase it? > > If you're referring to the individual packet capture buffer (i.e. 'caplen'), > you do it in pcap_open_live(). > > For example: > > handle = pcap_open_live(device, MAX_PACKET_SIZE, mode, 500, > err_buf); > > and set MAX_PACKET_SIZE to something like 4K. > > I read a tutorial that used BUFSIZ for the caplen, which is OK on most > systems, but in Solaris, BUFSIZ was only 1024 and that's smaller than the > MTU on Ethernet networks, so some packets were truncated. Maybe that's > what's happening to you in FreeBSD. > > DC > > ----- Original Message ----- > From: "Justin Robinson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, September 13, 2003 3:00 AM > Subject: Fw: [tcpdump-workers] Output goes weird! > > > > Hi > > > > How would I go about increasing the buffer size on FreeBSD? I've read lots > > about it but I'm not quite sure how > > you do it. > > > > Do I have to change the pcap source and recompile. If so... how do I do > this > > please? > > > > Thanks in advance > > Regards > > Justin > > > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: "Guy Harris" <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]>; "Michael Richardson" > > <[EMAIL PROTECTED]> > > Sent: Friday, September 12, 2003 10:11 AM > > Subject: Re: [tcpdump-workers] Output goes weird! > > > > > > > Hi > > > > > > > > > > > > The non-printable characters problem is fixed. > > > > > I fixed it by setting the snaplen to 2048. > > > > > > > > That's not a fix, that just hides the problem - your program should, > > > > for safety's sake, check the "caplen" field of the pcap_pkthdr > > > > structure, and not look at any bytes past that length. (Yes, if > you're > > > > capturing on a network where packets are never > 2048 bytes, you > > > > *should* be safe - but, just in case the packet is somehow malformed, > > > > you should *still* do that check.) > > > > > > > > > > I see - Ok... I will add this check (or at least write about it :o)) > > > > > > > > The packet dropping is a separate problem. > > > > > I used TCPDUMP to tell me wether packets were being dropped... > > > > > at the end where it gives number received and number dropped by > > kernel. > > > > > > > > > > > > Are you using a packet filter expression when capturing? I.e., does > > > > your program do a "pcap_compile()" and a "pcap_setfilter()"? > > > > > > > > > > Yes I'm applying a filter with pcap_compile() and then pcap_setfilter(). > > > > > > Justin > > > - > > > This is the TCPDUMP workers list. It is archived at > > > http://www.tcpdump.org/lists/workers/index.html > > > To unsubscribe use > > mailto:[EMAIL PROTECTED] > > > > > > > > > - > > This is the TCPDUMP workers list. It is archived at > > http://www.tcpdump.org/lists/workers/index.html > > To unsubscribe use > mailto:[EMAIL PROTECTED] > > > > - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
