- 论坛徽章:
- 0
|
|
一台FreeBSD 6.1,用于对网络进行sniffer,并通过ntop进行日志分析。\r\n但是发现核心丢弃了很多数据包,比如用tcpdump对监听的以太网接口进行抓包,发现被drop了50%左右的packet。见下图:\r\n\r\n 3 packets captured\r\n 14108 packets received by filter\r\n 13129 packets dropped by kernel\r\n\r\n在Ntop的web interface中,也发现丢报10%左右。\r\n\r\n查资料,发现libpcap丢包与系统的buffer长度有关,按照网上的资料,应该与setsockopt函数中SO_REVBUF这个选项有关。原文如下:\r\n\r\n On Linux, the “buffer length” - i.e., the length of the OS buffer into which packets are put by the OS packet capture code, to be read by libpcap - would, I think, be the socket receive buffer size. See the setsockopt man page and the SO_RCVBUF option.\r\n\r\n这里讲的是Linux,但是我在FreeBSD的setsockopt的man page里也发现了这个函数,而且明确指出,可以通过sysctl这个命令来调整这个内核变量。原文如下:\r\n\r\n SO_SNDBUF and SO_RCVBUF are options to adjust\r\n the normal buffer sizes allocated for output and input buffers, respec-\r\n tively. The buffer size may be increased for high-volume connections, or\r\n may be decreased to limit the possible backlog of incoming data. The\r\n system places an absolute maximum on these values, which is accessible\r\n through the sysctl(3) MIB variable “kern.ipc.maxsockbuf\'’.\r\n\r\n于是乎,调整这个变量,默认为262114,改为:655360,一下看不出效果。 用tcpdump抓包,drop的包仍在50%左右。心想,调高了看不出效果,调低了丢报数总会增加吧,这样就知道这个变量跟drop有没有直接关系, 于是把它的值调整为20480。然后再用tcpdump抓包,谁知道drop的包竟然变为0了,而且抓包显示的速度飞快。变为655360,drop包又升到50%左右,半天才显示一个抓包信息。\r\n\r\n想不通,是不是tcpdump的抓包方式与ntop的抓包方式不一样? |
|
免费注册
发表于 2007-01-06 16:29
发表于 2007-01-06 18:17
