On Fri, Jun 08, 2001 at 08:47:27PM +0000, Subba Rao wrote:
> After running tcpdump for a while on an active network (Linux, OpenBSD and NT),
> I interrupted and saw the following output at the end,
>
> 83190 packets received by filter
> 81285 packets dropped by kernel
>
> Why are the packets being dropped by the kernel?
The count printed with "packets dropped by kernel" comes from the
"ps_drop" field of the structure filled in by the "pcap_stats()" call;
on BSD systems, that's the "bs_drop" field from the BIOCGSTATS ioctl,
and the BPF man page on FreeBSD 3.4 (but it's probably similar, and I
suspect the same, on all BSDs) says:
bs_drop the number of packets which were accepted by
the filter but dropped by the kernel because
of buffer overflows (i.e., the application's
reads aren't keeping up with the packet
traffic).
> The ethernet adapter is from
> 3Com. I was told that OpenBSD NE2000 driver drop packets. The 3Com adapter
> works great.
"dropped by kernel" refers, as per the above, not to packets dropped by
the network adapter or the driver, but dropped by the BPF mechanism.
> Does this mean that I cannot analyze all the traffic on the
> network?
Quite possibly - it may be that there's too much traffic for tcpdump to
handle on the machine on which you're running it.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
