Wireshark-users: Re: [Wireshark-users] Mysterious packet loss during capture

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: <Tim.Poth@xxxxxxxxxxx>
Date: Fri, 9 Oct 2009 16:47:41 -0400
Do you have another box you could try, maybe there is something with that hardware under linux? I think I would try ether a different NIC under linux or a windows box just to see how things change
Hope that helps
tim

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of gkrames@xxxxxxx
Sent: Friday, October 09, 2009 4:12 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Mysterious packet loss during capture

Thanks, but "-n" is already in use (sorry I forgot to mention this 
detail). Also it would not explain packet loss by dumpcap.

New observation: Packet loss is reduced using "-w /dev/null",
but it is still there.

Gerfl


Abhijit Bare schrieb:
> If you have dns lookups on (converting IP addresses to hostnames) during 
> packet captures, packet losses might occur. Try without dns lookups - 
> tcpdump "-n" on Linux
> 
> - Abhijit
> 
> On Thu, Oct 8, 2009 at 1:58 PM, <gkrames@xxxxxxx 
> <mailto:gkrames@xxxxxxx>> wrote:
> 
>     Hi all,
> 
>     I am fighting for a while now with occasional packet loss during
>     capture in promiscous mode.
>     Environment: Linux 2.6.27, 32 bit, NIC e1000e, 100MBit network with
>     4MBit/s actual traffic (4%), wireshark 1.2.2;
>     the capturing PC has <5% CPU load and >1 GB free phys. memory).
> 
>     My test case captures 100K packets (using the -c) option.
>     A random number of packets is dropped (about 20..2000) with ever run.
> 
>     tcpdump, dumpcap, tshark, and wireshark show this behaviour.
>     Interestingly, tcpdump says "nn packets dropped by kernel".
>     So this is most likely a kernel/network stack problem.
> 
>     Trials playing with some kernel sysctl parameters
>     (increasing various buffer sizes, decreasing sheduler granularity
>     and others) has not improved anything so far.
> 
>     ethtool -G eth0 rx-usecs 250 (or 125), limitting interrupts
>     to 4000 or 8000 /sec, has reduced the packet loss but still it is
>     there.
> 
>     Any ideas what else I could try?
>     Also any hint would be appreciated how to find out why the kernel
>     decides to drop some packets.
> 
>     Thanks,
>     Gerfl
> 
> 
> 
> 
> 
> 
>     --
>     Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla
>     Firefox 3.5 -
>     sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
>     ___________________________________________________________________________
>     Sent via:    Wireshark-users mailing list
>     <wireshark-users@xxxxxxxxxxxxx <mailto:wireshark-users@xxxxxxxxxxxxx>>
>     Archives:    http://www.wireshark.org/lists/wireshark-users
>     Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>                 mailto:wireshark-users-request@xxxxxxxxxxxxx
>     <mailto:wireshark-users-request@xxxxxxxxxxxxx>?subject=unsubscribe
> 
> 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe