Hi, I develop a Linux sniffer application , which uses libpcap 1.2.0 library. The problem is that on some 2.6.16 and 2.4 kernel machines, which are pretty much "usual", SOMETIMES SOME packets are captured partially, i.e. tpacket_hdr structure tp_snaplen value is less then tp_len value. I see this right after that libpcap code calls RING_GET_FRAME on pcap_t handle, so my assumption is that libpcap in not "guilt" here, but some kernel infrastructure is.
After short investigation I found that in create_ring() function the max frame size is set to MTU size + 18. It did not help, but confused even more - my partial packets are of size much larger then the NIC MTU, e.g MTU size is 1500, while partial packets captured size is 3128, and 3400 on wire . Playing around with TSO enabling/disabling had no effect. All the problematic machines are 64 bit. I'm really sorry for the "SOMETIMES", but I've failed to isolate a problem, it may happen on single connection for a number of packets, while the rest are OK. So before I drill down to kernel debugging, may some of your guys have an idea why that weird stuff may happen? - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
