On Thu, Mar 13, 2003 at 04:49:50AM -0500, Ian Schorr wrote:
> Tethereal is reporting only seeing a certain number of frames (again,
> 30-70% or so), and reports 0 dropped. I'm not 100% sure whether the
> kernel is compiled to allow drop reporting, so I'm not sure what this
> symptom is telling me.
It's probably more of an issue of whether *libpcap* is compiled to allow
drop reporting. I think all 2.4[.x] kernels that support packet
capturing at all should allow userland code to get the statistics;
however, libpcap prior to 0.7 didn't include code to get them, and even
0.7 and later releases will support it only if compiled on a platform
that supports it - which might not be the case if compiled on, for
example, a platform with 2.2[.x] header files.
> Any suggestions on what might be happening here?
It might be interesting to see whether this is due to packets being
dropped because there's not enough free space in the socket buffer; if
RH 7.3 doesn't have libpcap 0.7 or later, try downloading the current
CVS version of libpcap, building and installing it (make sure that the
"config.h" file in the top-level libpcap source directory defines
HAVE_TPACKET_STATS; if not, you're on a platform with old header files),
and then get the Ethereal source if you don't already have it,
reconfigure it to pick up the version of libpcap you installed rather
than the system libpcap (probably using "--with-pcap=/usr/local", as
tcpdump.org's libpcap is installed under "/usr/local" by default), and
rebuild it (when you're done, run "ldd" on the Ethereal and Tethereal
binaries to make sure they're *NOT* dynamically linked with libpcap).
Then see whether they report any packets being dropped.