# tcpdump and dropped packets...



## g3joel (May 17, 2003)

I plan to write some sort of network data tool in Cocoa which will let you know how much data you have downloaded/uploaded.

I've decided to base it on the built in tool 'tcpdump'. The problem is that if the network transfer rate is too high tcpdump will end up dropping a majority of the incoming packets which I need to analyse - if I don't get the packets I can't calculate their size, and so the total amount transferred is inaccurate.

I understand that it could be a problem with the size of the buffer between the kernel and tcpdump (the buffer gets filled with packets too quickly and is overwritten before tcpdump has a chance to read from it). However, I have increased both of the values for 'debug.bpf_bufsize' and 'debug.bpf_maxbufsize' without any positive effect.

Would anyone be able to shed some light on this problem for me? I'd be eternally grateful  

Thanks.


----------



## theed (May 17, 2003)

Ummm, I think you're looking in the wrong place.  The packet and byte count should be part of the basic driver for the ethernet card, These are numbers it has to deal with anyway, so it's pretty trivial to record the data from there.  You wouldn't want to do much real analyzing in the driver though as it would slow down the performance of the ethernet port.

TCPDump is designed to analyze deeply, but not interfere with the throughput of the card.  If the card goes too fast, TCPDump drops packets.  If you don't want to drop packets, don't use TCPDump.  I believe if you poke around in the right parts of the kernel or something these numbers should already exist.

Also, look into IPNetMonitorX to make sure your needs aren't already fulfilled.


----------

