On Nov 19, 2003, at 12:58 PM, Martin Heroux wrote:
1- why does tcpdump don't get the same amount of packets as a regular
sniffer (Dolch for instance) I am using one of the best gigabit card
on the
market I should get the same result.
Is the regular sniffer dropping fewer packets? If so, that might
explain it. The code path for tcpdump from the driver to the disk
(which probably includes at least two copies of the packet data, and at
least two user->kernel->user boundary crossings) might be longer than
the code path for the Sniffer from the driver to wherever the packets
are stored (the Sniffer might just store them in memory, and save them
to disk only when you ask it to).
Is that the DOS-based or the Windows-based Sniffer?
2- why does ethereal which uses tcpdump
Presumably you mean "which uses libpcap" - Ethereal doesn't use tcpdump.
don't read the same amount of packets ?
Because it's dropping more packets.
For one thing, Ethereal is writing the packets to a file, not to
"/dev/null", as you were doing with tcpdump in your example. Try
specifying a file on "/tmp" or "/var/tmp" in your tcpdump test.
For another thing, the code path in Ethereal is even longer, as it's
updating the display and checking for user input while capturing.
For still another thing, tcpdump defaults to saving only the first 68
(if built without IPv6 support) or 96 (if built with IPv6 support)
bytes of a packet, which reduces the time spent in both packet copies
and the number of user->kernel->user boundary crossings (as more
packets would be written - although not read, as this is Linux - per
system call, as less data is being written). Try running tcpdump with
the option "-s 65535", and try running Ethereal with the "Limit each
packet to [] bytes" option turned on, and the limit set to, for
example, 68 or 96.