1

Unexpected packet drops

view story
linux-howto

http://serverfault.com – I am running three VMs connected over a virtual switch. I configured the vSwitch to forward all traffic from the server VM to both output ports where the other two VMs are connected. Thus the server VM sends traffic to two others. I ran wireshark on all devices and observed that one of the VMs is dropping some TCP packets. So, the number of packets received on the two VMs are not same. When I ran wireshark on the host, it showed that all packets are sent out to the destination but then the kernel seems to drop some packets randomly. The receive queue length is 4096 (as ethtool -g shows). What (HowTos)

dayu's picture
Submitted by dayu on 09/26/2012

Stories similar to Unexpected packet drops

I've got wireshark setup on a monitoring machine to monitor our offices internet traffic (approx 40 machines). However, whenever I start wireshark within about 30-40 seconds it has crashed - I think due to the large volume of packets being received around 10,000+ per second. Is there anyway to solve this?

I've installed Wireshark and configured it to let my user run it with all needed privileges (I enabled dumpcap and added my user to wireshark group, then restarted).

Devices are shown and capture starts well. The problem is that only packets sent to and directed to the PC where Wireshark is running are captured.

We have a script which calls

tcpdump -v src host <IP address> and port <port number> >>out.txt 2>>err.txt -w capture.cap

on multiple IP-s while the other parts of the script initiates some traffic in the background. We want check if packets are coming back to us, and examine manually only those cases when we receive packages.

I have a server with a network interface connected to a switch port that is configured to mirror all the traffic that goes through the switch, which means that if I run tcpdump on that interface I see a lot of packets.

The strange thing is that all these packets don't show up in the interface statistics, neither as "received" nor as "dropped". Why aren't they being counted?

I'm writing a service using UDP, but I can't manage to reply to the client.

When sending to the client via the DHCP-assigned IP (192.168.1.143) Wireshark shows no sent packets. The server receives and Wireshark shows any packet sent by the client (broadcasted).

If I send to a random, unassigned IP Wireshark doesn't show it.

I want to inspect which host is sending the most traffic to my server. How can I get something like this:

172 192.168.1.1 19 192.168.1.56

Which means that in a specific time interval, my serve received 172 packets from 192.168.1.1 and 19 packets from 192.168.1.56.

How can I do this?

Capture interfaces show: eth0 - with IP - shows packets sent and received wmaster0 - unknown - no packets shown wlan0 - unknown - no packets shown bluetooth - unknown - shows packets sent and received any - unknown - shows packets sent and received io - with IP - no packets shown.

I’m trying to improve my TCP throughput over a “gigabit network with lots of connections and high traffic of small packets”. My server OS is Ubuntu 11.10 Server 64bit.

There are about 50.000 (and growing) clients connected to my server through TCP Sockets (all on the same port).

95% of of my packets have size of 1-150 bytes (TCP header and payload).

Wireshark and iptables 38 weeks 5 days ago

thatguy wrote:Does wireshark read packets before they reach the kernel/iptables?Yes.thatguy wrote:I had iptables set up to block everything, yet wireshark continued to get up to several hundred packets per second, mostly ARP broadcast from the lan.Expected behaviour.