Re: [PLUG] is it normal for the kernel to drop packets when running tcpdump

[Michael Lazin via plug <plug@lists.phillylinux.org>]

Thanks for the explanation.  I should have checked Stackexchange.  Thanks for the link, I am going to experiment with different buffer sizes as the article suggests.  

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

On Mon, Apr 15, 2024 at 8:51 PM Jonathan Caicedo <jonathan@jcaicedo.com> wrote:

I sound like I kinda contradicted myself in a weird way in the last paragraph while saying that tcpdump won’t count packets dropped in buffers that don’t hit userspace - that part is true, for other programs. tcpdump will however count packets that get overwritten in its own buffer - that’s the “dropped by the kernel” part. 

— Jonathan

On Apr 15, 2024, at 20:47, Jonathan Caicedo <jonathan@jcaicedo.com> wrote:



I just ran a tcpdump on my machine to help validate, but yes it’s normal. 

<image0.jpeg>

It’s likely the bulk of those packets are tcpdump’s fault itself - tcpdump creates a buffer (by default 4KB) and then has to do some filtering (caveat - filtering is done with BPF at the kernel level, so it’s negligible overhead, and filtering will actually improve tcpdump’s performance preventing packet drops) and processing on incoming/outgoing packets - if tcpdump can’t empty that buffer quickly enough because of processing overhead, the kernel will overwrite them and that counter will be incremented. See here - https://unix.stackexchange.com/questions/144794/why-would-the-kernel-drop-packets

Now here’s the thing, on a larger note, the kernel drops packets all the time before they hit userspace. Think invalid packets, buffers that get filled too quickly (like above), or iptables rules that drop packets. It’s not uncommon. Now tcpdump sits in front of that - it tries its best to capture packets as they are on the wire leaving/entering your network interface - it won’t really count packets dropped for _those_ reasons (with some exceptions that I can’t immediately think of) - so it’s likely all buffering. 

— Jonathan

On Apr 15, 2024, at 19:21, Michael Lazin via plug <plug@lists.phillylinux.org> wrote:



^C
2021 packets captured
2805 packets received by filter
244 packets dropped by kernel

root@microlaser-IdeaPad-Slim-3-15IRU8:/home/microlaser#

I have been experimenting with running tcpdump on both my Linux box and my Mac and the kernel is dropping packets on both machines.  This was taken from my Linux box.  Is this normal?

Thank you,

Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug