N! packets dropped by kernel
Dan Nelson
dnelson at allantgroup.com
Thu May 15 12:16:49 PDT 2003
In the last episode (May 15), David Smithson said:
> Hi. I have a situation which may or may not be a problem. Here's my ip
> configuration:
>
> nge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> media: Ethernet autoselect (1000baseTX <full-duplex>)
> nge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> media: Ethernet autoselect (1000baseTX <full-duplex>)
>
> I've been monitoring net traffic with tcpdump. Most traffic is SMB
> and NMB. Tcpdump reports a very high dropped:received packet ratio.
> For example, a few second of capture during peak traffic returns:
>
> 34964 packets received by filter
> 34085 packets dropped by kernel
>
> Should I be concerned? I'll include full tcpdumps on both interfaces if
> necessary. Thanks for your time.
It means you need a faster CPU :) Tcpdump was only able to display
half the packets it got, and the kernel had to drop the rest.
Depending on what you're doing, writing to a file (-w logfile.txt),
grabbing less bytes per packet (-s), limiting which packets to display
(with a tighter filter expression), or raising the in-kernel buffersize
(sysctl debug.bpf_bufsize) may work as well.
I'm capturing (not decoding; just writing to disk) packets from four
fxp interfaces on a 586-200 (no MMX even!), and my CPU load doesn't go
over 10%. A machine 10x faster should be able to monitor two
interfaces 10x the speed of mine with no problems.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list