Hi I wanted to check if the sniffer application I'm using has zero packet loss. For that I have used tcpreplay to send a specific number of packets into the capture port. The number of packets shown by wireshark or tcpdump -r while opening the pcap file does not seem to be the same as the one shown by tcpreplay. Why is that? asked 27 Jul '15, 00:07  jichu |
One Answer:
There are many possible reasons:
Regards answered 27 Jul '15, 15:46  Kurt Knochner ♦ showing 5 of 11 show 6 more comments |
Hi, thanks for the reply.. I checked with "iperf" there is no loss in network, and I use ESXi Virtual switch for the system, I don't think packet loss happens there. The sniffer software I use (netsniff-ng) shows no packet loss, so only option left is a bug and/or TCP segmentation offloading
So what Guest OS are you using where you run tcpreplay?
I use Ubuntu Server 14.04 LTS for both sniffer and for tcpreplay
Have you checked the counters with ifcongig or ethtool -S?
Yes, no packet drops shown in ifconfig eth1 and ethtool -s eth1 command
And tcpreplay shows more packets transmitted correctly then the tcpdump output? Is it still reproduceable?
Yes thats correct. I'm running one now, when its completed I can post the output
Hi
TCP replay output:
Actual: 612469500 packets (305393106000 bytes) sent in 10685.58 seconds. Rated: 28579928.0 bps, 218.05 Mbps, 57317.38 pps Statistics for network device: eth1 Attempted packets: 612469500 Successful packets: 612469500 Failed packets: 0 Retried packets (ENOBUFS): 0 Retried packets (EAGAIN): 0
Sum of all tcpdump -r output (using a script): 48861713
The script is used is :
#!/bin/bash
files=(/share/capture/job2/*.pcap) sum=0 for f in "${files[@]}" do output=
sudo tcpdump -r $f 2> /dev/null | wc -lsum=$((output + sum)) done echo $sumAnd what does capinfo tell you?
Same as tcpdump -r
Maybe it is something like that (as Kurt already noticed): packet loss on the sniffer system (high CPU/IO load, etc.)
And the difference is that Iperf and tcpreplay sends out the packets in different wave forms.