Re: [tcpdump-workers] Libpcap recieves partial packets
Libpcap of version 1.0.0 and greater uses mmap with kernel space ring buffer. You may see the following comments in create_ring() function, which creates this ring and populates it with fixed size frames: "* So, for now, we just do this for Ethernet devices, where * there's no metadata header, and the link-layer header is * fixed length. We can get the maximum packet size by * adding 18, the Ethernet header length plus the CRC length * (just in case we happen to get the CRC in the packet), to * the MTU of the interface; we fetch the MTU in the hopes * that it reflects support for jumbo frames. (Even if the * interface is just being used for passive snooping, the driver * might set the size of buffers in the receive ring based on * the MTU, so that the MTU limits the maximum size of packets * that we can receive.) * * We don't do that if segmentation/fragmentation or receive * offload are enabled, so we don't get rudely surprised by * "packets" bigger than the MTU. */ " It may explain both your and my issues. But it does not provide any solution. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Libpcap recieves partial packets (pcap_pkthdr.caplen
Hi, I develop a Linux sniffer application , which uses libpcap 1.2.0 library. The problem is that on some 2.6.16 and 2.4 kernel machines, which are pretty much "usual", SOMETIMES SOME packets are captured partially, i.e. tpacket_hdr structure tp_snaplen value is less then tp_len value. I see this right after that libpcap code calls RING_GET_FRAME on pcap_t handle, so my assumption is that libpcap in not "guilt" here, but some kernel infrastructure is. After short investigation I found that in create_ring() function the max frame size is set to MTU size + 18. It did not help, but confused even more - my partial packets are of size much larger then the NIC MTU, e.g MTU size is 1500, while partial packets captured size is 3128, and 3400 on wire . Playing around with TSO enabling/disabling had no effect. All the problematic machines are 64 bit. I'm really sorry for the "SOMETIMES", but I've failed to isolate a problem, it may happen on single connection for a number of packets, while the rest are OK. So before I drill down to kernel debugging, may some of your guys have an idea why that weird stuff may happen? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Libpcap recieves partial packets
Hi, Both machines are with Intel Gigabit Ethernet adapter, with different revisions, though. Both use e100e driver. So what you are actually saying, that NIC driver may handle it in a wrong way? If so, what are the possible reasons? How exactly you found out the driver ring frames size? Inserting printf() to the source or there is some more sane approach? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
