Wireshark · Ethereal-users: Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"

Ethereal-users: Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Fri, 14 Nov 2003 01:39:56 -0800

On Tue, Nov 11, 2003 at 10:13:16AM +0800, ?$B7DF1?(B wrote:
> > From: "Guy Harris" <guy@xxxxxxxxxxxx>
> > 
> > On Nov 9, 2003, at 8:14 PM, $B7DF1(B wrote:
> > 
> > > I sent 95 packets per seconds to DNS server and use the command 
> > > "Tethereal -V port 53 " to view the detail DNS packets messages.
> > > I ran for 5 seconds but It just show to Frame 99 and  "1031 packets 
> > > dropped".
> > 
> > On what operating system are you running Tethereal?
> 
> I am using Linux RedHat9.0.

What kernel?

The "packets dropped" count is, on 2.4.x kernels, supposed to come from
a counter that, at least in 2.4.20, is incremented only for packets that
pass the capture filter - but you had a capture filter of "port 53",
sent only 95 packets/second for 5 seconds, which would be 475 packets,
but it reported that it dropped 1031 packets!

However, you might have a kernel that doesn't have CONFIG_FILTER
configured in; if so, the capture filtering would be done in libpcap,
not in the kernel, which means

	1) the kernel is passing *all* packets, not just port 53
	   packets, to libpcap, which means it's spending more CPU time
	   copying, so that there's less CPU time for processing
	   packets, meaning it might drop packets if it doesn't read
	   them fast enough - and more packets are arriving, so it'd
	   have to read them faster than if the filtering were done in
	   the kernel;

	2) the count of packets dropped could include packets that
	   aren't port 53 packets.

You might want to check whether your kernel has CONFIG_FILTER enabled:

	Socket filtering
	CONFIG_FILTER
	  The Linux Socket Filter is derived from the Berkeley Packet Filter.  
	  If you say Y here, user-space programs can attach a filter to any
	  socket and thereby tell the kernel that it should allow or disallow
	  certain types of data to get through the socket.  Linux Socket
	  Filtering works on all socket types except TCP for now.  See the
	  text file <file:Documentation/networking/filter.txt> for more
	  information.

	  You need to say Y here if you want to use PPP packet filtering
	  (see the CONFIG_PPP_FILTER option below).

	  If unsure, say N.

and, if not, enable it, rebuild the kernel, and use the new kernel.

Follow-Ups:
- Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"
  - From: Ching Tung Lo
- Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"
  - From: Ching Tung Lo

References:
- [Ethereal-users] HELP:The drawbacks of "Tethereal -V"
  - From: 慶同
- Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"
  - From: Guy Harris

Prev by Date: FW: [Ethereal-dev] RE: [Ethereal-users] URGENT: Need help with RTPstream playback issue
Next by Date: Re: [Ethereal-users] URGENT: Need help with RTP stream playback issue
Previous by thread: Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"
Next by thread: Re: [Ethereal-users] HELP:The drawbacks of "Tethereal -V"
Index(es):
- Date
- Thread