Buffer size for capturing packets in kernel space

bufferkernelnetworkingtcpdump

Going through the man page of tcpdump, it seems kernel can drop the packets if the buffer is full. I was wondering if:

that size is configurable and/or
where can I see the size for my distro?

From the man page (for easy reference):

packets “dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).

Best Answer

Tcpdump has the option -B to set the capture buffer size. The value is then passed to libpcap (library used by tcpdump to do the actual packet capturing) via pcap_set_buffer_size() function. Tcpdump manpage does not specify in what units the buffer size is specified with -B, but from the source it seems that it is KiB.

manual page of pcap_set_buffer_size() does not specify default buffer size (which is used if this function is not called), but again, from the libpcap source, this seems to be 2 MiB, at least on linux (but is most likely system dependent).

With regard to packet buffering and dropping, you should also pay attention to setting snaplen (-s) parameter accordingly. man tcpdump:

-s     Snarf  snaplen bytes of data from each packet rather than the
default of 65535 bytes.  Packets truncated because of a limited snapshot
are indicated in the output with ``[|proto]'', where proto is the name of
the protocol level at which the truncation has occurred. Note that  taking
larger  snapshots both increases the amount of time it  takes  to
process packets and, effectively, decreases the amount of packet buffering.
This may cause packets to be lost. You should limit snaplen to the
smallest number that will capture the protocol information you're
interested in. Setting snaplen to 0 sets it to the default of 65535, for
back-wards compatibility with recent older versions of tcpdump.

This means that with fixed buffer size, you can increase the number of packets that fit into the buffer (and thus not being dropped) by decreasing the snaplen size.

Related Solutions

Record contents of packets dropped in iptables

The NFLOG target can be used for this purpose. Here is a very basic example:

# Drop traffic by default
iptables -P INPUT DROP

# add your whitelists here
# iptables -A INPUT ...

# Pass the packets to NFLOG (just like LOG, but instead of syslog,
# it uses netlink). You can add extra filters such as '-p tcp' as usual
iptables -A INPUT -j NFLOG
# packets that get here will now be dropped per INPUT policy

# Finally you can use tcpdump to capture from this interface (there
# can only be one active user of nflog AFAIK)
tcpdump -i nflog ...

Refer to the iptables-extensions manual page for a description of the NFLOG target.

Tcpdump time based circular rotation

Take the following as an example that produces six capture files per minute indefinitely:

# tcpdump -i eth0 -G 10 -w dump-%S.pcap.

Note that only the second time variable %S needs to be specified in the template file name, with a rotational time frame of ten seconds specified by -G. When the capture time changes from minute to minute, tcpdump overwrites the previous second-marked file.

Now, a hourly rotational and daily cyclical capture could be achieved by:

# tcpdump -i eth0 -G 3600 -w dump-%H.pcap.

The same rationale applies here. tcpdump creates a new file every 3600 seconds, naming it with the current hour. Upon changing days, the previous hour files are sequentially replaced.

Best Answer

Related Solutions

Record contents of packets dropped in iptables

Tcpdump time based circular rotation

Related Question