pcap misses packets - HELP!!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 Hello, all!

 I need to sniff a email traffic on a heavily loaded network.
Currently i try to use dsniff package whose operation is based on
libpcap. There are problems related to packet loss. Some packets are
just not captured, this causes severe troubles (for example missing
FIN packet leads to abandoned connection tracking and memory leak).
Missing pieces of mails are also not good.
 This problem happens when more than one stream of large data is
transferred concurrently (for example we send more than one 2 mb
message via SMTP at the same moment). A friend of mine told that this
is known problem of pcap which addresses packet copying from kernel
space to user space.
 Are there any alternative solutions working in PROMISC mode (the
traffic is running between two machines which we can't modify by
project conditions and we have a third machine on this network with
an interface in PROMISC mode)? I've tried iptables ULOG target, but
this catches only UDP broadcasts despite i set PROMISC for the
interface using ifconfig.
 May be some cnahging sysctl values helps here? I've looked at the
kernel source and learned that dropping packets being captured depends
on socket input buffer size and something other in skbuff subsystem
(some conditions which are unclear to me).

-- 
Best regards,
 Pavel                          mailto:[email protected]

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux