[Guy Harris <gharris@xxxxxxxxx>]

George P Nychis wrote:

> Sorry for a question that is not ethereal, but its related and 
> TCPDUMP doesn't have a user mailing list, only a developer mailing
> list,

tcpdump-workers@xxxxxxxxxxx is both a user and a developer mailing list 
for tcpdump.  (It's also a user and developer mailing list for libpcap.)

> After I ran tcpdump for 2 days with heavy traffic, i got: tcpdump:
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>  102591563 packets captured 210400699 packets received by filter 
> 5217573 packets dropped by kernel
>
> What I am interested in is the "5217573 packets dropped by kernel"
> Are these packets outgoing, incoming, or both?

Unknown - there aren't separate counts kept for dropped incoming and 
outcoming packets.

> If so, does that mean
> the application created data, passed it down to the kernel to be put
> on the link, and the kernel could not handle all the packets and
> simply dropped them?

It means that a packet was either received or transmitted, and handed to 
the kernel mechanism used for packet capture, and that mechanism didn't 
have enough buffer space for it, so it wasn't supplied to tcpdump.

It says nothing about whether the packet was dropped by the regular OS 
mechanism for transmitting or receiving packets; it probably wasn't - it 
was just dropped by the mechanism tcpdump used to capture traffic (which 
is the same mechanism Ethereal and Tethereal and snort and... use).