We are capturing 10 gig traffic with Dumpcap (the NiC being 10 Gig), is it possible to know if dumpcap is dropping packets while capturing. We are analyzing the saved captures, is there a way to know the statistics of packets dropped by the tool and not by the network (Nic, switch, wire etc) i.e testing the tools capabilities of capturing 10 Gig asked 29 Jan '14, 02:23  deepacket edited 29 Jan '14, 02:31 showing 5 of 8 show 3 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Which version of Wireshark are you using? On which OS and version? Newer versions of Dumpcap reports the number of drops reported by libpcap(what version of libpcap do you have?). As best Libpcap obviously can only report the number of packets dropped that was recived by the NIC. Libpcap 1.5.x can make use of TPACKET_V3 which currently is thought to be the most efficent method on Linux systems. ntop.orgs "direct NIC access may be better. Depending on your system packets drops can start as low as 100Mb/s.
Hi Anders, the version of Wireshark we are using is 1.10.2 and this is installed on a Windows server 2008 RT. Is the feature of dropped packet count that you mention also available on a windows systems. Can you kindly give more clarity on this.We are interested in knowing the packets dropped by the tool while capturing
Hi, On my machine with the development version the output of dumpcap is:
C:\xxx>wireshark-gtk2\dumpcap -a duration:2 Capturing on 'Local Area Connection 11' File: C:\xxx\Temp\wireshark_pcapng_Local Area Connection- xxxxx Packets captured: 0 Packets received/dropped on interface 'Local Area Connection xx': 0/0 (pcap:0/dumpcap:0/flushed:0/ps_ifdrop:0) (0.0%)
What is your output?
According to the following mail, WinPcap will not be able to capture at 10G !??!
@deepacket: Would you please post the dumpcap output of dropped frames (see comment of @Anders) for low/medium/high utilization of a 10G link?
I'm interested where the packets get lost 'first' (winpcap driver, dumpcap buffering, disk writes, etc.) in such an environment. Thanks in advance!!!
That might not be so easy to figure out.
If packets isn't fetched fast enough from the buffers on the NIC the NIC buffers will over run(that might be reported on the NIC). If packets isn't fetched fast enough from the kernel by libpcap the kernel buffer might ove run. If dumpcap isn't fetching and Writing the packets fast enough libpcaps buffer will overrun. I don't know how the capture mechanism works on Windows/winpcap so I don't know if it uses MMAP:ed buffers to reduce copying. I'm unsure how the packet drop counters are implemented in winpcap so even if packet drops are reported it's hard to know where the dropp happened. Line rate capture on 10G interface is not likely.
Hi Anders and Kurt,
We tested with Dumpcap with all the offload functionality disabled on the NiC, but the Packet drop rate were unbearably high. Next we are thinking of using a linux system with tcpdump. Considering the efficiency that is inherent to linux we are hoping of getting better results. Howeve how do we use the TPACKET_v3 capabilities. Any help on this will be appreciated
Deepak
For TPACKET_V3 capabilities you'll need to have libpcap >= 1.5.0 compiled with TPACKET_V3 support, and a proper kernel of course.
I use Ubuntu 13.10 and get libpcap 1.5.3 from trusty