Thread: Why tcpdump sometimes drops packets, mangles DNS and shows bad checksums
View Single Post
  #1   (View Single Post)  
Old 29th December 2009
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,132
Default Why tcpdump sometimes drops packets, mangles DNS and shows bad checksums
From http://archive.netbsd.se/?ml=openbsd...-12&m=12145822
Quote:
BPF is implemented as a ring buffer if it overflows it will drop packets.
That's why tcpdump is printing the statistics at the end:
4 packets received by filter
0 packets dropped by kernel

If you tcpdump with a snapsize of 2000 as shown above you will run out of
the default bpf bufsize very quickly since the default is 32k and I guess
you cranked up your tcp buffers to much bigger numbers so that bpf has no
chance to queue the incomming packets, call userland and be done with them
before the 32k buffer overflows. You may want to look into sysctl
net.bpf.bufsize.
For more info about BPF, the Berkely Packet Filter, which is used by tcpdump, see http://en.wikipedia.org/wiki/Berkeley_Packet_Filter
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote