[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9335882.20061031121815@rambler.ru>
Date: Tue, 31 Oct 2006 12:18:15 +0300
From: Pavel Fedin <sonic_amiga@...bler.ru>
To: linux-kernel@...r.kernel.org
Subject: pcap misses packets - HELP!!!
Hello, all!
I need to sniff a email traffic on a heavily loaded network.
Currently i try to use dsniff package whose operation is based on
libpcap. There are problems related to packet loss. Some packets are
just not captured, this causes severe troubles (for example missing
FIN packet leads to abandoned connection tracking and memory leak).
Missing pieces of mails are also not good.
This problem happens when more than one stream of large data is
transferred concurrently (for example we send more than one 2 mb
message via SMTP at the same moment). A friend of mine told that this
is known problem of pcap which addresses packet copying from kernel
space to user space.
Are there any alternative solutions working in PROMISC mode (the
traffic is running between two machines which we can't modify by
project conditions and we have a third machine on this network with
an interface in PROMISC mode)? I've tried iptables ULOG target, but
this catches only UDP broadcasts despite i set PROMISC for the
interface using ifconfig.
May be some cnahging sysctl values helps here? I've looked at the
kernel source and learned that dropping packets being captured depends
on socket input buffer size and something other in skbuff subsystem
(some conditions which are unclear to me).
--
Best regards,
Pavel mailto:sonic_amiga@...bler.ru
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists