Tcpdump Packet loss Problem Solving method

Reprint: http://blog.csdn.net/galaxy_fxstar/article/details/5290498

Recently with tcpdump grab bag, found that there are a large number of drops ("packets dropped by kernel"),

As follows:

Tcpdump-i eth0 DST Port 1234 and udp-s 2048-x-tt >a.pack

Packets Captured
3043 Packets received by filter
2706 packets dropped by kernel

Packet Drop Reason:

After Google and analysis, the cause of this drop is due to the libcap caught packet, tcpdump upper layer did not timely remove, resulting in libcap buffer overflow, thus covering the unhandled package, shown here as dropped by kernel, note, The kernel here is not said to be abandoned by the Linux kernel, but by the tcpdump kernel, that is, Libcap abandoned, the upper supervisor heard

The 1234-Port server can obtain the data normally.

Workaround:

According to the above analysis, we can reduce the packet loss rate by improving the processing efficiency of the upper layer of tcpdump, the following steps can be selected according to the need, each step will reduce a certain loss rate

1. Minimize the crawl filter range, that is, by specifying the network card, port, packet flow, packet size to reduce the number of packets

2. Add-n parameter, prohibit reverse domain name resolution

Tcpdump-i eth0 DST Port 1234 and udp-s 2048-n-x-tt >a.pack

In most cases, this will solve the problem.

Reduces packet loss by improving the processing efficiency of the tcpdump upper layer

3. Output a packet to a cap file

Tcpdump-i eth0 DST Port 1234 and udp-s 2048-n-x-tt-w a.cap

With this step, basically all of the Web servers are ready to take care of.

4. Modify the So_revbuf parameter with Sysctl to increase the libcap buffer length

This step is the trick, because the design of the kernel parameter modification, try not to use, to use the No, then there is no way to ^_^