[tcpdump-workers] Recompile with different libpcap
Hi I am trying to evaluate how tcpdump performs with different libpcap versions and other packet capture libraries. How do I re-compile TCPDUMP to work with a different libpacp ? -- Sanjay Sundaresan Grad Student Viterbi School of Engineering, USC - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Recompile with different libpcap
Hi Is there an option to make tcpdump print the number of packet it captures/process per second. It prints the number of packets handled as a summary before exiting but that is a cumulative figure. I want to find out the rate of packet processing by tcpdump when the pipe is full. -- Sanjay Sundaresan Grad Student Viterbi School of Engineering, USC - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] timestamp in Packet Data
Is the approximation because of the fact that NIC card generarates interrupt only after some number of packets arrive ?. Does device polling affect time stamp ? At what stage of capture time stamping is done ? On Sat, Jul 9, 2011 at 6:59 PM, Alokat wrote: > On 07/09/11 21:56, Guy Harris wrote: > > On Jul 9, 2011, at 4:41 PM, Alokat wrote: > > > >> I'm wondering what is in the pcap_data (pcap file format) and what is > not? > >> Especially the timestamp ... is it just in the packet_header or in the > >> packet_data too? > > A pcap file starts with a header. Following the header are zero or more > packet records. A packet record has a header, which includes the packet > time stamp, followed by packet data, which is just the raw data as supplied > to libpcap/WinPcap by whatever mechanism it uses. That mechanism supplies > the packet time stamp for inclusion in the header, so there is no reason to > expect that it will also be in the packet data, especially given that no > link layers would include that time stamp (it's not in an Ethernet header, > for example), so the time stamp is just in the packet header, not the packet > data. > > > > The time stamp is an approximation of the time when the packet was > received by the machine that captured it.- > > This is the tcpdump-workers list. > > Visit https://cod.sandelman.ca/ to unsubscribe. > Okay, > > Thanks for your answer ... > > Regards, > alokat > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > -- Sanjay Sundaresan Grad Student Viterbi School of Engineering, USC - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] timestamp in Packet Data
Is the approximation because of the fact that NIC card generarates interrupt only after some number of packets arrive ?. Does device polling affect time stamp ? At what stage of capture time stamping is done ? On Sat, Jul 9, 2011 at 6:59 PM, Alokat wrote: > On 07/09/11 21:56, Guy Harris wrote: > > On Jul 9, 2011, at 4:41 PM, Alokat wrote: > > > >> I'm wondering what is in the pcap_data (pcap file format) and what is > not? > >> Especially the timestamp ... is it just in the packet_header or in the > >> packet_data too? > > A pcap file starts with a header. Following the header are zero or more > packet records. A packet record has a header, which includes the packet > time stamp, followed by packet data, which is just the raw data as supplied > to libpcap/WinPcap by whatever mechanism it uses. That mechanism supplies > the packet time stamp for inclusion in the header, so there is no reason to > expect that it will also be in the packet data, especially given that no > link layers would include that time stamp (it's not in an Ethernet header, > for example), so the time stamp is just in the packet header, not the packet > data. > > > > The time stamp is an approximation of the time when the packet was > received by the machine that captured it.- > > This is the tcpdump-workers list. > > Visit https://cod.sandelman.ca/ to unsubscribe. > Okay, > > Thanks for your answer ... > > Regards, > alokat > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
[tcpdump-workers] Packet Loss Count
Hi After Running TCPDUMP say the following amount is obtained 9298933 packets captured 9298932 packets received by filter 2871368 packets dropped by kernel Can we assume the percentage of packets dropped during capture on that particular interface is approximately packets dropped /(packets dropped + packets captured) * 100% ?? Also, If we are running multiple instance of TCPDUMP on all the interface then why do each of them report different rate of loss ? Is this becasue not all of them get equal CPU time ? and Can a single TCPDUMP monitor on multiple interface ? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] Running TCPDUMP over a web interface
web interface ? you can't SSH ? On Sun, Aug 14, 2011 at 6:51 AM, Tek Bahadur Limbu wrote: > Hi all, > > I am not sure if this is a right list to post the following question. > > I need to run TCPDUMP on a Linux bridge with multiple network interfaces. > However, instead of using a shell, I need to run it over a web interface. > > Any guide or suggestion will be highly appreciated. > > > Thanking you... > Best regards, > Tek Bahadur Limbu > - > This is the tcpdump-workers list. > Visit https://cod.sandelman.ca/ to unsubscribe. > -- Sanjay Sundaresan Grad Student Viterbi School of Engineering, USC - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Re: [tcpdump-workers] questions on -B, performance, mbufs, and
What is the meaning of dropped by interface ? Dropped by kernel means packets dropped due to lack of memory at the kernel in the same way what does interface drop signifies ? -Original Message- From: tcpdump-workers-ow...@lists.tcpdump.org [mailto:tcpdump-workers-ow...@lists.tcpdump.org] On Behalf Of Rick Jones Sent: Wednesday, September 28, 2011 9:42 AM To: tcpdump-workers@lists.tcpdump.org Subject: Re: [tcpdump-workers] questions on -B, performance, mbufs, and On 09/27/2011 07:32 PM, Jon Schipp wrote: > Hello Guy, > > I'm now doing testing with tcpdump on an Ubuntu machine. > > One difference I noticed was that in addition to "dropped by kernel", > tcpdump on Ubuntu also reports "dropped by interface". > > Is this specific to Linux, because I haven't experienced this on > FreeBSD? Is this Ubuntu distro addendum or has this been added by the tcpdump team. > > Where do the numbers come from for the "dropped by interface", you've > already explained the "dropped by kernel" > I was just wondering how this differs. Would this be the number > reported by ifconfig? If, as the name suggests, those are drops reported by the NIC, presumably the value you see being emitted by tcpdump would track rather closely with the stats reported for the interface via ethtool -S rick jones - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
