LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 07-13-2003, 02:34 PM   #1
Blindsight
Member
 
Registered: Mar 2003
Distribution: Slackware
Posts: 234

Rep: Reputation: 30
tcpdump and dropped packets


Using tcpdump shows that:

2182 packets received by filter
1983 packets dropped by kernel

Why is it dropping so many packets? Is there a way I can tell which packets are being dropped? I tried using the -j LOG, but it's still not telling me what packets it's dropping.

iptables -A FORWARD -j LOG <-- that syntax is correct or should I use something else?

I tried finding documentation on --log-level but I haven't been able to find any. I don't know if 0 or 255 is more verbose, I've tried both.

Any help or links would be much appreciated. Thanks in Advance.
 
Old 07-14-2003, 03:20 PM   #2
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Blindsight,

tcpdump and iptables are two different entities. tcpdump should be getting what is coming over the wire (before iptables gets a hold of it). The kernel is not able to deliver the packets to tcpdump. How fast is your network vs. your machine? What is the load on the machine?

Hope that helps,
chris
 
Old 07-14-2003, 06:00 PM   #3
Blindsight
Member
 
Registered: Mar 2003
Distribution: Slackware
Posts: 234

Original Poster
Rep: Reputation: 30
network = 10mbit
machine = 486/66 w/ 8mb of RAM

has a 15 minute average load of .01

This should be plenty to route and NAT for 3 machines on my LAN.

Also, I understand tcpdump and iptables are not the same. My question was, why is tcpdump saying it's dropping a buttload of packets? The only reason I had iptables in there at all was that I was trying to log these dropped packets in the hopes it would help me solve the mystery.
 
Old 07-14-2003, 09:10 PM   #4
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 55
TCPDump can't keep up with the network speed, read the machine isn't speedy enough to process all the packets on the wire - RAM is the issue not a the speed of the processor - your sniffer is a layer 2 (data link) packet analizer, for it to be able to process all the packets coming on thewire it needs place to buffer them, and 8 Mb isn't enough so it tries to swap memory using HDD - memory paging concepts - I bet your HDD is from the era of 486 computing which has a huge latency factor - that's why the pockets dropped.
 
Old 07-14-2003, 09:44 PM   #5
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Blindsight,

The tcpdump man page explains the message. The kernel has a buffer for packets to be delivered to tcpdump. If tcpdump doesn't respond quickly enough, the kernel will overwrite old packets with new ones. I believe the key would be getting tcpdump to go faster.

What options are you passing to tcpdump? Are you writing to a file? I'm pretty sure tcpdump loses packets when it has to do DNS lookups, no matter what the speed of the machine. I also seem to remember tcpdump not being able to process all the packets when I had a 486 running Linux, but that was years ago.

Good Luck,
chris
 
Old 07-14-2003, 10:41 PM   #6
Blindsight
Member
 
Registered: Mar 2003
Distribution: Slackware
Posts: 234

Original Poster
Rep: Reputation: 30
neo777777 and bastard23; that was exactly the answer I was looking for and makes perfect sense.

And in looking in the man page of tcpdump, I feel like a boob. Thanks for pointing that out, bastard23 =)

Thanks again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What process sent packets dropped by firewall? cherylchase Linux - Security 4 03-18-2005 09:36 AM
too much dropped packets...Hi.. alaios Linux - Networking 2 02-10-2005 04:49 AM
select() and dropped packets MrHenky Linux - Networking 0 02-04-2005 09:15 AM
Dropped packets - is this a problem?? benr77 Linux - General 4 10-04-2004 02:05 PM
dropped packets... sohmc Linux - Software 3 05-29-2003 09:26 AM


All times are GMT -5. The time now is 05:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration