I use tshark to capture IPFIX packets on Ubuntu. When using the tshark commands without "-s" option, some expected packets are dropped incorrectly. But when the "-s 1500" option is added, it works well. E.g: I run the tshark with different options on the same interface at almost same time. And I find there are several packets are missing in the It confused me very much. What is the default capture snaplen when without “-s” option? All the packets I expected is less than 1500 bytes. But the dropped packets seems not related to packet length: only part of the packets with the same length are dropped. Why the packets are dropped? asked 06 May ‘15, 02:56  Cathy edited 06 May ‘15, 03:49  grahamb ♦ showing 5 of 6 show 1 more comments |
One Answer:
You are not specifying which version of Ubuntu you are using, 14.04 with libpcap >=1.5.3 performs better when it comes to packet drops. I think the difference you are seeing is that without -s the packet size is estimated at 65535 which allows fewer packets per capture buffer, by specifying -s 1500 more packets fits in the buffer and there is less packet drops. This may have been a bug in some libpcap version. answered 06 May '15, 04:01  Anders ♦ Is this really true? I find it highly doubtful that there would be packets bigger than 1500 bytes (well OK, 1514 bytes), even if the snaplen was set to 65535. Could this simply be due to higher packet rates/bursts at the time the capturing was done and have nothing really to do with the snaplen? I suppose one could run 2 simultaneous captures, one with the default snaplen and one with a smaller snaplen to compare apples-to-apples. (06 May '15, 07:02) cmaynard ♦♦ (06 May '15, 07:04) Anders ♦ OK, but the maximum number of packets that would fit into the same buffer size would only be reduced if there were packets that were bigger than 1500 bytes, as compared to limiting the packets to that size, correct? If you set a snaplen of 1514 bytes, there really shouldn't be any difference as compared to leaving the snaplen at 65535 when capturing on standard Ethernet (assuming no jumbo frames) ... should there? (06 May '15, 07:21) cmaynard ♦♦ If I remember correctly the lengt is reserved before the packet is seen. (06 May '15, 07:51) Anders ♦ OH! If that's the case, maybe the default snaplen should be set much lower!? (06 May '15, 08:00) cmaynard ♦♦ I think libpcap was patched to use MTU if that was possible to determine or something like that. (06 May '15, 08:24) Anders ♦ Guy provides more details here (and probably other places too): http://stackoverflow.com/questions/9351664/optimal-snaplen-for-pcap-live-capture. I guess I'll have to read up more on the differences between TPACKET_V1, V2, and V3. Seems like https://www.kernel.org/doc/Documentation/networking/packet_mmap.txt is the place to do that. (06 May '15, 08:39) cmaynard ♦♦ Thanks for your help. It sounds reasonable and helpful. But the count of the packets that match the filter "dst port 9999" is not very big, only about 1000 pkts in 3 minutes, and the burst is not more than 100 pkts/sec. Is it so easy to make the capture buffer full? (06 May '15, 20:23) Cathy Just out of curiosity, what version of libpcap and tshark are you using? (06 May '15, 20:35) Anders ♦ [email protected]:~# tshark -v TShark 1.12.2 (Git Rev Unknown from unknown) Copyright 1998-2014 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (32-bit) with GLib 2.34.0, with libpcap, with libz 1.2.3, without POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, with Gcrypt 1.4.6, with MIT Kerberos, without GeoIP. Running on Linux 2.6.32-5-686, with locale en_US.UTF-8, with libpcap version 1.5.3, with libz 1.2.7. Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-55). (06 May '15, 23:22) Cathy showing 5 of 10 show 5 more comments |
The tshark version info is: [email protected]:~# tshark -v TShark 1.12.2 (Git Rev Unknown from unknown)
Copyright 1998-2014 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GLib 2.34.0, with libpcap, with libz 1.2.3, without POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS, without Lua, without Python, without GnuTLS, with Gcrypt 1.4.6, with MIT Kerberos, without GeoIP.
Running on Linux 2.6.32-5-686, with locale en_US.UTF-8, with libpcap version 1.5.3, with libz 1.2.7.
Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-55).
Is this a virtual machine or real hardware?
A virtual machine on KVM.
well, could that be the problem?
Do you see packet drops if you run both tcpdump commands separately? If so, is the packet drop rate the same, higher or lower if you run both captures at the same time?
What happens if you run both tcpdump commands with -s 1500? Still missing packets? If so, what is the number of dropped frames for each tcpdump command? Try to start them “almost” at the same time (through a script) or start sending traffic only after you’ve successfully started both capture commands.
I haven’t run tcpdump, but only run tshark.
In fact, I met the packet dropped issue when one of the tshark command is running. When I run the tshark command without “-s” option, I can see packet drops. And when the “-s 1500” option is added, the results are always OK in several runs. And then I run the two tshark commands, with “-s 1500” and without the option, at the same time to check what is the difference between the two results. The packet dropped issue only happens in the result of tshark without “-s 1500”.
About the packet drop rate, it varies in several runs without “-s” option.
can you please try tcpdump or dumpcap instead of tshark for the capturing process?