pcap misses packets - HELP!!!

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Pavel Fedin <sonic_amiga@rambler.ru>
To: linux-kernel@vger.kernel.org
Subject: pcap misses packets - HELP!!!
Date: Tue, 31 Oct 2006 12:18:15 +0300	[thread overview]
Message-ID: <9335882.20061031121815@rambler.ru> (raw)

 Hello, all!

 I need to sniff a email traffic on a heavily loaded network.
Currently i try to use dsniff package whose operation is based on
libpcap. There are problems related to packet loss. Some packets are
just not captured, this causes severe troubles (for example missing
FIN packet leads to abandoned connection tracking and memory leak).
Missing pieces of mails are also not good.
 This problem happens when more than one stream of large data is
transferred concurrently (for example we send more than one 2 mb
message via SMTP at the same moment). A friend of mine told that this
is known problem of pcap which addresses packet copying from kernel
space to user space.
 Are there any alternative solutions working in PROMISC mode (the
traffic is running between two machines which we can't modify by
project conditions and we have a third machine on this network with
an interface in PROMISC mode)? I've tried iptables ULOG target, but
this catches only UDP broadcasts despite i set PROMISC for the
interface using ifconfig.
 May be some cnahging sysctl values helps here? I've looked at the
kernel source and learned that dropping packets being captured depends
on socket input buffer size and something other in skbuff subsystem
(some conditions which are unclear to me).

-- 
Best regards,
 Pavel                          mailto:sonic_amiga@rambler.ru

                 reply	other threads:[~2006-10-31  9:18 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9335882.20061031121815@rambler.ru \
    --to=sonic_amiga@rambler.ru \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox