[dnscap-users] dnscap 1.2.0 dropping packets vs version 20160205?

Jerry Lundström jerry at dns-oarc.net
Mon Dec 12 06:17:57 UTC 2016 

Hi Paul,

Sorry for the late reply but I have been away.

There has been A LOT of changes to the internals of dnscap due to
reported packet lost and what I found while trying to solve it is that
some combinations of libpcap and linux kernel version tend to drop more
then others.  What kernel are you running?

As Duane results below, all the testing I've done have only shown
improvement in the packet capturing.

With 1.2.0 and pcap-thread [2] the capturing is done in threads, can you
rerun your tests with -S to see if it is dropping packets because of CPU?

I also see that you are using -t 300 and I've recently noticed an issue
with the -t flag that I've yet had time too look closer on, this may be
responsible for your numbers.  If you can please also capture with
tcpdump first and the run the various versions on the pcap file.

Cheers,
Jerry

On 11/30/16 22:34, Paul Vlaar wrote:
> Odd! (on my results, that is) I'll have to do some more investigation
> then on this end. I'll try on a FreeBSD system as well. I'm starting to
> think it may be some interaction between other components on the Ubuntu
> system now.
> 
> Thanks for looking into this so far Duane, very much appreciated.
> 
> 	~paul
> 
> 
> On 30/11/16 23:29, Wessels, Duane wrote:
>> Paul,
>>
>> I did another little test here with our live traffic.  I ran dnscap-20160205 and dnscap-1.2.0 in two separate windows with these parameters (e.g. 10 time span):
>>
>> $ sudo ./dnscap -f -m q -s i -i ens1f1 -t 10 -T -w /disk2/tmp/dnscap-old
>> $ sudo ./dnscap -f -m q -s i -i ens1f1 -t 10 -T -w /disk2/tmp/dnscap-new
>>
>> Then I counted the number of packets captured in each 10-second file, shown in the table below.  In most cases the newer v1.2.0 wins by a little:
>>
>> start time       v20160205    v1.2.0
>> ---------------  ---------  --------
>> 20161130.221220     841709    938803
>> 20161130.221230     913349    948758
>> 20161130.221240     813905    839441
>> 20161130.221250     766642    812000
>> 20161130.221300     671017    729540
>> 20161130.221310     748825    760573
>> 20161130.221320     759913    766256
>> 20161130.221330     777853    771760
> 
> 
>

More information about the dnscap-users mailing list