This is a discussion on Pcap and packets - Networking ; Hi, I'm new to the world of networking, and I have some questions about packets and pcap in general. I'm running Red Hat Enterprise Linux 5 on a PC with QuadCore processor with 4GB RAM. I'm using tcpreplay to send ...
I'm new to the world of networking, and I have some questions about
packets and pcap in general. I'm running Red Hat Enterprise Linux 5 on
a PC with QuadCore processor with 4GB RAM.
I'm using tcpreplay to send 780122 packets from a 500 MB pcap file
from a server to my PC, and I'm using pcap_stats() to look at the
statistics of packets received.
My program contains the pcap_loop function that calls the callback
function, which in turn calls another function, FunctionA that
processes the incoming packets. The pcap_stat function is called when
I terminate the program using Ctrl-C, and it'll display the number of
packets dropped and received. In my callback function, I have a
counter to keep track of the packets that enter the callback
I'll like to know what are the significance of ps.recv and ps.drop?
Are they statistics of packets received by the NIC? Does ps.drop count
packets dropped before pcap_loop is even called, or when
callback_function is called, or when FunctionA is called? What about
ps.recv? Why do my counter and ps.recv show different values? I
noticed that when I receive packets from the pcap file, I always get
twice the number of packets (shown by ps.recv). For example, the pcap
file contains 780122 packets, and for some reason I can only receive a
maximum of 780049 packets, and ps.recv will return 1560098. This is
the same for other pcap files. Why is that?
Also, when I send just one 500 MB pcap file to my PC at a relatively
high speed (~700 Mbps), I encounter no dropped packets. However, if I
loop the pcap file multiple times at the same speed, I'll get dropped
packets. Is this a sign of running out of buffer space (kernel, NIC?),
or is FunctionA simply not fast enough? Would a low CPU utilization
rate coupled with dropped packets point more towards a lack of buffer
I've also come across rmem_default and rmem_max. Are they parameters
for setting the (kernel?) buffer space for the packets? What is a good
size for rmem_default and rmem_max if I'm receiving packets at speeds
over 700 Mbps?
Finally, are there any tutorials online that would explain how a
packet is transferred from wire to the function where it's processed,
and why packets are dropped?