Ubuntu – How to capture “dropped packets” in tcpdump

networkingtcpdumpubuntu 16.04wireshark

I have a problem with my networking performance. I am using Ubuntu 16.04 on VMware Cloud Server with NIC E1000. But I see some packets dropped in sections of ifconfig command:

root@ubuntu:~# ifconfig ens192
ens192    Link encap:Ethernet  HWaddr 00:50:56:03:25:14  
          inet addr:192.16.1.100  Bcast:192.16.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:574749 errors:0 dropped:83 overruns:0 frame:0
          TX packets:76478 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44109471 (44.1 MB)  TX bytes:19484534 (19.4 MB)

Although it just some packets dropped but my server is running a real-time game online, so you know it impacts my clients that are connecting to it.

I have done in some researching and exploring information on Google, after that I tried to change config file for buffer ring, max windows size, and so on. But it still drops my packets.

So, now I want to capture packets that dropped for analyzing what type of packets exactly it is.

I also tried this capture for my view in wireshark:

sudo tcpdump -i ens192 -n -w /var/www/html/logs.pcap -C 1 -Z root

But I don't think I can see what packets are dropped! I think packets dropped is ignored before going to the filter of tcpdump.

Can you suggest me what method to capture "dropped packets" above (dropped:83)?

Thanks in advance!

Best Answer

The problem can be with tcpdump itself: If it doesn't respond quickly enough then old packets will be overwritten with new ones, which means that they are dropped.

If you capture all the bytes of each packet, it's very easy to overrun the kernel's packet capture buffer. The symptoms of this overrun are that your packet trace program will report that it dropped packets.

In the case of tcpdump, it prints a summary of how many packets were captured, filtered, and dropped when you stop the capture. For example:

$ sudo tcpdump -i en0 -w trace.pcap
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
94 packets captured
177 packets received by filter
0 packets dropped by kernel

If the dropped count is non-zero, you need to increase the packet capture buffer size by passing the -B option to tcpdump. Try it also without a capture file, to see if this improves the capture ratio.

Related Solutions

Linux – How to Create a network connection between host and guest using static ip in Oracle Virtual Box

Clicking to the Cable connected check-box would be a good start for communication to occur between your guest and host.

Linux Networking – How to Check if Multiple Network Interfaces Are Working

The reason why your bind does not work has nothing to with bind, a trick I use too, and everything to do with the fact that you have only one default gateway, on the usb0 NIC, while you should have one on either NIC, otherwise connection to WAN sites from wlan0 will not be routed.

Linux allows the existence of multiple gateways (one per interface, virtual or not), under the regimen of policy-based routing. What you need to do is to have two separate routing tables, one for usb0 and one for wlan0, and a rule telling the kernel which one to use; then binding an application to either interface will allow you to reach WAN sites.

You handle two routing tables as follows: First, create two tables (Replace and with sensible names, same with IP1, DEV1, and so on):

echo 200 <NAME1> >> /etc/iproute2/rt_tables
echo 201 <NAME2> >> /etc/iproute2/rt_tables

Add a gateway to each routing table (if needed):

ip route add <NET1> dev <DEV1> src <SRC1> table <NAME1>
ip route add <NET2> dev <DEV2> src <SRC2> table <NAME2>

Then a default route:

ip route add default via <IP1> table <NAME1>
ip route add default via <IP2> table <NAME2>

Then the rules to select the route table based on the source address:

ip rule add from <IP1> table <NAME1>
ip rule add from <IP2> table <NAME2>

Now you can bind application to either interface.