Why does tcpdump show few packet?

Discussion in 'Linux Networking' started by Zheng Da, Sep 27, 2006.

  1. Zheng Da

    zhengda Guest

    Sometimes is
    2 packets captured
    14031 packets received by filter
    much less than 1%.
    It never captures these packets
    I think I should follow Rick Jones, and try the tcpdump from
    www.tcpdump.org first.
     
    zhengda, Oct 1, 2006
    #21
    1. Advertisements

  2. Zheng Da

    zhengda Guest

    I have downloaded and compiled tcpdump 3.9.5, but it still captures few
    packets.Something like:
    13 packets captured
    1448 packets received by filter
    1320 packets dropped by kernel
     
    zhengda, Oct 1, 2006
    #22
    1. Advertisements

  3. Zheng Da

    Moe Trin Guest

    On Sun, 01 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in
    And that is still my concern.
    There is _something_ in the way of those packets.
    What happens if you disable VMWare?
    That was a long shot, but _something_ is filtering those packets.
    The changes from 3.9.4 to 3.9.5 are not significant, and I haven't heard
    any Debian users screaming about the existing version. I think the
    problem is something in the way you are running the system, but I can't
    figure what it could be.

    Old guy
     
    Moe Trin, Oct 1, 2006
    #23
  4. Zheng Da

    Moe Trin Guest

    On Sun, 01 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in
    That's still the same problem.
    packets ``dropped by kernel'' (this is the number
    of packets that were dropped, due to a lack of
    buffer space, by the packet capture mechanism in
    the OS on which tcpdump is running, if the OS
    reports that information to applications; if not,
    it will be reported as 0).

    Had you seen this before? In my experience this is either a very busy
    network, or a very busy computer running tcpdump - in either case, there
    was to much traffic for the time allowed to the application.

    Old guy
     
    Moe Trin, Oct 1, 2006
    #24


  5. Broken DNS?

    Try
    tcpdump -n
    (I believe that's the default with wireshark.)
     
    Allen McIntosh, Oct 1, 2006
    #25
  6. Zheng Da

    zhengda Guest

    I think you get the point.
    tcpdump -n can really get lots of packets.
    But the number of the packets captured is always around the half of the
    ones received by filter.

    255 packets captured
    510 packets received by filter
    0 packets dropped by kernel

    Is it normal?
     
    zhengda, Oct 2, 2006
    #26

  7. No. Looks like time to build tcpdump from scrateh, or at least get the
    source and try to figure out why the two numbers might be different.
     
    Allen McIntosh, Oct 2, 2006
    #27
  8. Zheng Da

    Rick Jones Guest

    That was just to make sure it was a fully known quantity - and was
    meant to include building libpcap from scratch too, not just tcpdump,
    which means making sure that the newly built tcpdump used the newly
    build libpcap, and not the one already on the system.

    rick jones
     
    Rick Jones, Oct 2, 2006
    #28
  9. Zheng Da

    Moe Trin Guest

    On Mon, 02 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in
    That's why I pointed him at 'debsums' - but I don't feel the problem is
    there either. It's something the way he is running his system, and that
    VMWare is really waving a big flag.

    Old guy
     
    Moe Trin, Oct 3, 2006
    #29
  10. Zheng Da

    Rick Jones Guest

    Agreed.

    rick jones
     
    Rick Jones, Oct 3, 2006
    #30
  11. Zheng Da

    Zheng Da Guest

    Moe Trin 写�:
    Why to use debsums? I have installed tcpdump from the source codes, and
    it had the same result. So it shouldn't be the problem of tcpdump. What
    can debsums prove?
    I have removed VMWare script in the /etc/init.d, so VMWare service
    can't be started when the system starts up.
     
    Zheng Da, Oct 9, 2006
    #31
  12. Zheng Da

    Moe Trin Guest

    On 9 Oct 2006, in the Usenet newsgroup comp.os.linux.networking, in article
    I mentioned that before you decided to try installing from source. The
    'debsums' program would prove that your Debian binaries were not corrupt.

    The idea is that there are many Debian users, and they are not screaming
    about tcpdump not working correctly. But there are not that many Debian
    users who are using VMWare. Now, if you are running VMWare, is the Linux
    that you as a user can access running in a VMWare wrapper, or is VMWare
    just another application also running in the native shell. I don't use
    VMWare as I have no need for it, but I would think that this difference
    would show up in the 'ps afwux' output. If you are running VMWare, and it
    _doesn't_ appear in the process list, then you are running in a guest
    shell, and VMWare is causing problems.
    And is there any change?

    Old guy
     
    Moe Trin, Oct 11, 2006
    #32
  13. Zheng Da

    Zheng Da Guest

    Moe Trin 写�:
    VMWare is an application running in my linux
    No. The number of packets captured by tcpdump is still half of the
    ones received.
    So I think it shouldn't be VMWare's fault
     
    Zheng Da, Oct 11, 2006
    #33
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.