Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 446228 - net-analyzer/tcpdump-4.3.0 / net-libs/libpcap-1.3.0 - large amount of "packets dropped by interface" is displayed
Summary: net-analyzer/tcpdump-4.3.0 / net-libs/libpcap-1.3.0 - large amount of "packet...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Netmon Herd
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-06 07:56 UTC by Yanestra
Modified: 2013-06-12 18:57 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info tcpdump (emerge_info_tcpdump,5.31 KB, text/plain)
2012-12-06 08:00 UTC, Yanestra
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yanestra 2012-12-06 07:56:52 UTC
When I start tcpdump, the -w parameter is ignored (no file is written) and an absurdly large amount of dropped packages is displayed. If I omit -w, everything seems fine, except for there is no file written, of course.

Recent stable tcpdump-3.9.8-r1 works, the problem only occurs with tcpdump-4.3.0 which is stable right now.

# tcpdump -w xxx -s 0 -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
794 packets captured
794 packets received by filter
0 packets dropped by kernel
4294967289 packets dropped by interface
Comment 1 Yanestra 2012-12-06 08:00:32 UTC
Created attachment 331630 [details]
emerge --info tcpdump
Comment 2 Jeroen Roovers gentoo-dev 2012-12-06 15:55:11 UTC
What type of storage are you dumping that file on?
Comment 3 Jeroen Roovers gentoo-dev 2012-12-06 16:00:20 UTC
(In reply to comment #2)
> What type of storage are you dumping that file on?

Never mind.
Comment 4 Jeroen Roovers gentoo-dev 2012-12-06 16:07:13 UTC
The file is probably written to /var/lib/tcpdump - see bug #334329.
Comment 5 Jeroen Roovers gentoo-dev 2012-12-06 16:21:20 UTC
(In reply to comment #0)
> When I start tcpdump, the -w parameter is ignored (no file is written) and
> an absurdly large amount of dropped packages is displayed. If I omit -w,
> everything seems fine, except for there is no file written, of course.
> 
> Recent stable tcpdump-3.9.8-r1 works, the problem only occurs with
> tcpdump-4.3.0 which is stable right now.
> 
> # tcpdump -w xxx -s 0 -i eth1
> tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535
> bytes
> ^C
> 794 packets captured
> 794 packets received by filter
> 0 packets dropped by kernel
> 4294967289 packets dropped by interface

2^32 - 4294967289 = 7
Comment 6 Yanestra 2012-12-06 17:10:51 UTC
(In reply to comment #4)
> The file is probably written to /var/lib/tcpdump - see bug #334329.

Correct.
Comment 7 Jeroen Roovers gentoo-dev 2012-12-06 17:15:44 UTC
tcpdump simply grabs the stats that libpcap provides, so the problem is actually there. But ISTR that some kernel interface recently changed wrt networking.
Comment 8 Jeroen Roovers gentoo-dev 2012-12-06 17:33:13 UTC
ifconfig output RX/TX -- dropped: seems useful, since that value matches the missing number from the "dropped by interface:

ifconfig eth0:
eth0      Link encap:Ethernet  HWaddr 00:30:6e:2b:ba:cd  
          inet addr:10.0.0.140  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::230:6eff:fe2b:bacd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13170602 errors:1 dropped:11581 overruns:0 frame:0
          TX packets:14899924 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3794962031 (3.5 GiB)  TX bytes:9504483720 (8.8 GiB)

tcpdump -i eth0 -c 10:
10 packets captured
200 packets received by filter
96 packets dropped by kernel
4294955715 packets dropped by interface

dropped_by_interface = 2^32 - ifconfig_dropped
4294955715           = 2^32 - 11581

pcap-linux.c calls linux_if_drops() before going into promiscuous mode and after leaving it, and compares both numbers in pcap_stats_linux().
Comment 9 Yanestra 2012-12-06 18:35:30 UTC
(In reply to comment #7)
> tcpdump simply grabs the stats that libpcap provides, so the problem is
> actually there. But ISTR that some kernel interface recently changed wrt
> networking.

Hmmm.

# tcpdump --version
tcpdump version 3.9.8
libpcap version 1.3.0
...
# tcpdump -w xxx -s 0 -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
1214 packets captured
1214 packets received by filter
0 packets dropped by kernel

The same library, different results.
Comment 10 Jeroen Roovers gentoo-dev 2012-12-07 14:14:26 UTC
(In reply to comment #9)
> (In reply to comment #7)
> > tcpdump simply grabs the stats that libpcap provides, so the problem is
> > actually there. But ISTR that some kernel interface recently changed wrt
> > networking.
> 
> Hmmm.
> 
> # tcpdump --version
> tcpdump version 3.9.8
> libpcap version 1.3.0
> ...
> # tcpdump -w xxx -s 0 -i eth1
> tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535
> bytes
> ^C
> 1214 packets captured
> 1214 packets received by filter
> 0 packets dropped by kernel
> 
> The same library, different results.

Yes, the "packets dropped by interface" is entirely absent from 3.9.*, and hence the problem completely goes away. :)