Date: Wed, 17 Sep 2003 18:46:37 -0700 From: Lev Walkin <vlm@netli.com> To: Josh Brooks <user@mail.econolodgetulsa.com> Cc: freebsd-net@freebsd.org Subject: Re: I would like to tcpdump and get all the packets... Message-ID: <3F690E7D.90201@netli.com> In-Reply-To: <20030917182850.Q52432-100000@mail.econolodgetulsa.com> References: <20030917182850.Q52432-100000@mail.econolodgetulsa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Josh Brooks wrote: > Whenever I run: > > tcpdump -vvv > > when I am finished, I am surprised to see: > > 27441 packets received by filter > 7866 packets dropped by kernel > > I have pored over the tcpdump man page, but do not see how to tell it to > not drop any of the packets. > > What is the purpose behind this ? I can't think of any situation where I > would want to run tcpdump and not see certain things. > > The whole point of my tcpdump usage is to try to catch some malicious > traffic that I think is hitting my system - if it is dropping so many > packets, I might never see it! > > Many thanks - and also, just out of curiousity, what _is_ the situation in > which it helps to throw out 20% of the packets and not see them ? Would you want to de-prioritize tcpdump so if it can't process data quickly enough as the kernel receives them, the kernel would stop processing packets and wait tcpdump to finish? But seriously, there is a solution for your problem. Add a -n to your numerous -v's. You probably don't want to spend precious tcpdump's time to resolve IPs it captures, while losing data. -- Lev Walkin vlm@netli.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F690E7D.90201>