This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, i am running iperf to send traffic from one computer to another, & i am using tcpdump to capture packets (1000,000 and more) on both sides of the sender and receiver, the problem is tcpdump captured much LESS than the 1 million packets on both sides, and i changed the test duration randomly from 10 seconds to 100 seconds, it solved the problem at the sender-side & i got my 1000,000 captures, but NOT at the receiver where i got only 108,000 captures, now i don't know what is causing this, and i could not find an answer on the internet, any help to get my 1 million captures at the sender and receiver??

i used for the server: iperf -s

And for the client: iperf -c ipAddress -t 100

and for the capture tool i used: tcpdump -i eth1 -s 0 -c 1000000 -w /dev/shm/new.pcap "tcp"

asked 09 Jul '15, 10:49

yas1234's gravatar image

yas1234
16182023
accept rate: 0%

edited 13 Jul '15, 05:12


I see the following possible problems:

At both sides: tcpdump might not be able to record all packets (disk I/O) and thus it drops some of them.
Solution: don't capture the full frame size, meaning use option -s (snaplength), like -s 100. Futhermore check the statistics of tcpdump at the end of the capture session (dropped packets).

At the receiver side: There could be packet loss in the network (normal for every network) and thus you see less frames on the receiver side than on the sender side.
Solution: iperf will tell you if there was packet loss in the report.

Regards
Kurt

permanent link

answered 09 Jul '15, 22:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

okay you are right but still couldn't solve the problem, i had my snaplen set to the default -s 0, i changed it as you said to -s 100 which solved the problem at the receiver but i had the same problem at the sender again! i got million packets at the receiver and only 30,000 at the sender, and iperf did not show any Losses so i don't know what to do, how do i set my framesize? i am using tcp, also i tried -s 1500 since eth mtu is 1500 but it did not work either, is this problem in tcpdump only or i will have it if i change to tshark or other?

(10 Jul '15, 02:00) yas1234

also is this problem in tcpdump only or i will have it if i change to tshark or other?

tcpdump and tshark are using the same capturing library, called libpcap, so you will have the same issue if it's a load problem.

You can try to separate traffic generation and capturing, to prevent resource overloading on the sender (CPU, Network I/O, disk I/O, etc.).

So, run iperf on the sender and do the capturing part on a different system via switch port mirroring.

(10 Jul '15, 02:11) Kurt Knochner ♦

but actually i need the same environment for the test and i have to fix this instead of replacing the system...i am not overloading the sender as the receiver is not generating data packets just ack packets and im using 1G interface on both sides...any suggestions?

(13 Jul '15, 05:02) yas1234

@yas1234 - When performing the iperf stream and packet capture at the sender, what is the system utilization?
I had a similar issue in which the OS was limiting the amount of resources allocated to any one data stream. Some suggestions:

  1. Try using a smaller throughput and see if the issue is resolved. Then gradually increase the throughput until you see the issue - very time consuming!

  2. Perform the same throughput and look at your system utilization. If they reach or near 100%, then cutback the throughput.

In my case, I had to add a second source to create the overall throughout required for the test.

(13 Jul '15, 06:41) Amato_C

how do i see my system's utilization ?

(13 Jul '15, 06:46) yas1234

Depends on the OS:

  1. Windows = Windows Task Manager, press CTRL+ALT+DEL and select the Task Manager

  2. Linux distros = use the top command

(13 Jul '15, 07:04) Amato_C

but actually i need the same environment for the test and i have to fix this instead of replacing the system.

To fix what exactly? Does iperf show packet loss or is it just the fact that you don't see everything in the capture file?

(13 Jul '15, 08:38) Kurt Knochner ♦
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×97
×75
×10
×8

question asked: 09 Jul '15, 10:49

question was seen: 2,881 times

last updated: 13 Jul '15, 08:38

p​o​w​e​r​e​d by O​S​Q​A