Re: I would like to tcpdump and get all the packets...

From: Lev Walkin (vlm_at_netli.com)
Date: 09/18/03

  • Next message: Petri Helenius: "Re: I would like to tcpdump and get all the packets..." 
    Date: Wed, 17 Sep 2003 18:46:37 -0700
To: Josh Brooks <user@mail.econolodgetulsa.com>

    Josh Brooks wrote:
    > Whenever I run:
    >
    > tcpdump -vvv
    >
    > when I am finished, I am surprised to see:
    >
    > 27441 packets received by filter
    > 7866 packets dropped by kernel
    >
    > I have pored over the tcpdump man page, but do not see how to tell it to
    > not drop any of the packets.
    >
    > What is the purpose behind this ? I can't think of any situation where I
    > would want to run tcpdump and not see certain things.
    >
    > The whole point of my tcpdump usage is to try to catch some malicious
    > traffic that I think is hitting my system - if it is dropping so many
    > packets, I might never see it!
    >
    > Many thanks - and also, just out of curiousity, what _is_ the situation in
    > which it helps to throw out 20% of the packets and not see them ?

    Would you want to de-prioritize tcpdump so if it can't process data quickly
    enough as the kernel receives them, the kernel would stop processing packets
    and wait tcpdump to finish?

    But seriously, there is a solution for your problem. Add a -n to your
    numerous -v's. You probably don't want to spend precious tcpdump's time
    to resolve IPs it captures, while losing data. 

    -- 
Lev Walkin
vlm@netli.com
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Petri Helenius: "Re: I would like to tcpdump and get all the packets..."

    Relevant Pages