Re: libpcap 1.0 huge packet drop?
Guy Harris <guy <at> alum.mit.edu>
2010-07-04 19:36:38 GMT
On Jul 4, 2010, at 7:15 AM, bored to death wrote:
> i'm having quite a problem with tcpdump 4.0.0
Combine the previous sentence and the subject line - at this point, you're comparing libpcap
0.9.8+tcpdump 3.9.8 with libpcap 1.0.0+tcpdump 4.0.0, and the problem could be caused by libpcap 1.0.0,
tcpdump 4.0.0, or the combination of them.
I doubt that it's tcpdump 4.0.0's problem, but the first thing you should try is to build the same version of
tcpdump - 3.9.8 or 4.0.0 - with both versions of libpcap, and see what happens. (libpcap and tcpdump are
released together, but tcpdump is supposed to be able to work with versions of libpcap other than the one
with which it was released.)
> i'm trying to dump gigabit network traffic to file with tcpdump. at first, i was on Debian 5. i had tcpdump
3.9.8 (uses libpcap 0.9.8) installed and with upgrading network-related parameters of kernel, i had no
packet drop and everything was fine. but then i installed tcpdump 4.0.0 (which uses libpcap 1.0) and this
caused a huge packet drop in my receive. (in 700Mb tcp traffic, 1 out of 3 packets were being dropped)
> i installed and checked dumpcap (comes with wireshark) and realized wireshark 1.2.6 which is built with
libpcap 0.9.8 doesn't have packet drop, but wireshark 1.2.7 which is built with libpcap 1.0 has the same
problem and packets are hugely being dropped. (i'm not sure about wireshark versions)
Are those versions of dumpcap linked statically, or dynamically, with libpcap? What happens if you run
both versions of dumpcap with the -v flag?
> so does libpcap 1.0 really have this bad bug or i'm doing something wrong?
> also, i tested tcpdump 3.9.7(with libpcap 0.9.7) and tcpdump 4.0.0 (with libpcap 1.0) on FreeBSD 8.0
(700Mb tcp traffic) and result was almost the same. (packet drop with tcpdump 4.0 was 6 times more than
tcpdump 3.9.7, though here i couldnt make tcpdump 3.9.7 to dump with zero packet loss)