Re: [PLUG] is it normal for the kernel to drop packets when runningtcpdump

["Alan D. Salewski via plug" <plug@lists.phillylinux.org>]

On Mon, Apr 15, 2024, at 19:21, Michael Lazin via plug wrote:
> ^C
> 2021 packets captured
> 2805 packets received by filter
> 244 packets dropped by kernel
> root@microlaser-IdeaPad-Slim-3-15IRU8:/home/microlaser#
>
> I have been experimenting with running tcpdump on both my Linux box and my
> Mac and the kernel is dropping packets on both machines.  This was taken
> from my Linux box.  Is this normal?

Yep, that's normal. From tcpdump(8):
<quote>
    When tcpdump finishes capturing packets, it will report counts
    of:
    ...
        packets ``dropped by kernel'' (this is the number of packets
        that were dropped, due to a lack of buffer space, by the
        packet capture mechanism in the OS on which tcpdump is
        running, if the OS reports that information to applications;
        if not, it will be reported as 0).
    ...
</quote>

You might be able to reduce or eliminate that by some combination of
the '-n' and '-B' options, and possibly other options that might
balance out the packet volume vs. work-per-packet ratio.

<quote>
      -n     Don't  convert  addresses  (i.e.,  host addresses, port numbers,
              etc.) to names.
</quote>

<quote>
       -B buffer_size
       --buffer-size=buffer_size
              Set the operating system capture buffer size to buffer_size,  in
              units of KiB (1024 bytes).
</quote>

-- 
a l a n   d.   s a l e w s k i
ads@salewski.email
salewski@att.net
https://github.com/salewski
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug