Linux Buffer size for capturing packets in kernel space?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6979325/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Buffer size for capturing packets in kernel space?
提问by Anon
Going through the man page of tcpdump hereIt seems kernel can drop the packets if the buffer is full. I was wondering if
Going through the man page of tcpdump hereIt seems kernel can drop the packets if the buffer is full. I was wondering if
1) that size is configurable and/or 2) where can I see the size for my distro?
1) that size is configurable and/or 2) where can I see the size for my distro?
From the man page (for easy reference):
From the man page (for easy reference):
packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).
packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).
采纳答案by ezpz
There are several areas you might check to mitigate packets dropped by kernel:
There are several areas you might check to mitigate packets dropped by kernel:
- Look at configuring
/proc/sys/net/core/netdev_max_backlogand/proc/sys/net/core/netdev_budget. The default is probably pretty low; try setting each to something like 2000. - Writing to the output device screen may be blocking/slowing the
tcpdumpprocess long enough to fill the recv buffer- Use
-nnto turn off DNS lookups and port naming - Write to file instead of the screen
- Try a tool such as gulp
- Use
- If you have a multi-processor machine look at using
taskset - Use
niceto set the priority of the process
- Look at configuring
/proc/sys/net/core/netdev_max_backlogand/proc/sys/net/core/netdev_budget. The default is probably pretty low; try setting each to something like 2000. - Writing to the output device screen may be blocking/slowing the
tcpdumpprocess long enough to fill the recv buffer- Use
-nnto turn off DNS lookups and port naming - Write to file instead of the screen
- Try a tool such as gulp
- Use
- If you have a multi-processor machine look at using
taskset - Use
niceto set the priority of the process
Even with those settings, it may just be that you can not keep up with the speed of the traffic you are trying to capture. Look at the details of your NIC and machine and ensure that what you expect is even possible.
Even with those settings, it may just be that you can not keep up with the speed of the traffic you are trying to capture. Look at the details of your NIC and machine and ensure that what you expect is even possible.
回答by young
1) It's configurable but not precisely as it would decide a proper size from your request.
1) It's configurable but not precisely as it would decide a proper size from your request.
2) Use setsockopt / getsockoptwith SO_RCVBUF / SO_SNDBUF
2) Use setsockopt / getsockoptwith SO_RCVBUF / SO_SNDBUF
I'm not familiar with linux but it seems this link explains it well. http://linux.die.net/man/7/socket
I'm not familiar with linux but it seems this link explains it well. http://linux.die.net/man/7/socket
