[tcpdump-workers] Libpcap recieves partial packets (pcap_pkthdr.caplen

[Hrju Blja]

Hi,
I develop a Linux sniffer application , which uses libpcap 1.2.0 library.
The problem is that on some 2.6.16 and 2.4 kernel machines, which are
pretty much "usual", SOMETIMES SOME packets are captured partially, i.e.
tpacket_hdr structure tp_snaplen value is less then tp_len value. I see
this right after that libpcap code calls RING_GET_FRAME on pcap_t handle,
so my assumption is  that libpcap in not "guilt" here, but some kernel
infrastructure is.

After short investigation I found that in create_ring() function the max
frame size is set to MTU size + 18. It did not help, but  confused even
more - my partial packets are of size much larger then the NIC MTU, e.g MTU
size is 1500, while partial packets captured size is 3128, and 3400 on wire
.

Playing around with TSO enabling/disabling had no effect.
All the problematic machines are 64 bit.

I'm really sorry for the "SOMETIMES", but I've failed to isolate a problem,
it may happen on single connection for a number of packets, while the rest
are OK.

So before I drill down to kernel debugging, may some of your guys have an
idea why that weird stuff may happen?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Re: [tcpdump-workers] Libpcap recieves partial packets

[Hrju Blja]

Hi,
Both machines are with Intel Gigabit Ethernet adapter, with different
revisions, though. Both use e100e driver.
So what you are actually saying, that NIC driver may handle it in a wrong
way? If so, what are the possible reasons?

How exactly you found out the driver ring frames size? Inserting printf()
to the source or there is some more sane approach?
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.