Going through the man page of tcpdump
, it seems kernel can drop the packets if the buffer is full. I was wondering if:
- that size is configurable and/or
- where can I see the size for my distro?
From the man page (for easy reference):
packets “dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).
Best Answer
Tcpdump has the option
-B
to set the capture buffer size. The value is then passed to libpcap (library used by tcpdump to do the actual packet capturing) viapcap_set_buffer_size()
function. Tcpdump manpage does not specify in what units the buffer size is specified with -B, but from the source it seems that it is KiB.manual page of
pcap_set_buffer_size()
does not specify default buffer size (which is used if this function is not called), but again, from the libpcap source, this seems to be 2 MiB, at least on linux (but is most likely system dependent).With regard to packet buffering and dropping, you should also pay attention to setting snaplen (
-s
) parameter accordingly.man tcpdump
:This means that with fixed buffer size, you can increase the number of packets that fit into the buffer (and thus not being dropped) by decreasing the snaplen size.