lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9335882.20061031121815@rambler.ru>
Date:	Tue, 31 Oct 2006 12:18:15 +0300
From:	Pavel Fedin <sonic_amiga@...bler.ru>
To:	linux-kernel@...r.kernel.org
Subject: pcap misses packets - HELP!!!

 Hello, all!

 I need to sniff a email traffic on a heavily loaded network.
Currently i try to use dsniff package whose operation is based on
libpcap. There are problems related to packet loss. Some packets are
just not captured, this causes severe troubles (for example missing
FIN packet leads to abandoned connection tracking and memory leak).
Missing pieces of mails are also not good.
 This problem happens when more than one stream of large data is
transferred concurrently (for example we send more than one 2 mb
message via SMTP at the same moment). A friend of mine told that this
is known problem of pcap which addresses packet copying from kernel
space to user space.
 Are there any alternative solutions working in PROMISC mode (the
traffic is running between two machines which we can't modify by
project conditions and we have a third machine on this network with
an interface in PROMISC mode)? I've tried iptables ULOG target, but
this catches only UDP broadcasts despite i set PROMISC for the
interface using ifconfig.
 May be some cnahging sysctl values helps here? I've looked at the
kernel source and learned that dropping packets being captured depends
on socket input buffer size and something other in skbuff subsystem
(some conditions which are unclear to me).

-- 
Best regards,
 Pavel                          mailto:sonic_amiga@...bler.ru

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ