Ethereal-dev: Re: [Ethereal-dev] How to stop Linux packet capture from dropping packets?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 19 Apr 2002 22:53:45 -0700
On Sat, Apr 20, 2002 at 03:30:56PM +0930, Richard Sharpe wrote:
> I am capturing large amounts of data from lo under Linux, and it seems 
> that with large transmits (around 65535 bytes), the libpcap stuff is 
> dropping the last two segments of each transmit.
> 
> Does anyone know of any kernel param I can tune to stop this?

On Linux, packet capture is done with PF_PACKET sockets, so the
buffering would be the socket buffer size; at least from a quick look at
the 2.4.9 kernel code, the default socket receive buffer size appears to
be...

...65535 bytes.

That value comes from a "sysctl_rmem_default" variable, which appears to
be controlled by "/proc/sys/net/core/rmem_default"; you might also have
to increase "/proc/sys/net/core/rmem_max".

An alternative might be to explicitly do a "setsockopt()" on the result
of "pcap_fileno()", on Linux.

> Similarly for FreeBSD? I already know about debug.bpf_bufsize for FreeBSD.

"debug.bpf_bufsize" would be the default buffer size; does boosting that
above 65535 bytes not fix the problem?  ("debug.bpf_maxbufsize" is
524288 in FreeBSD 4.5, at least from a quick look at the code, so you
should at least be able to make it that large.)