Tcpdump, dropped packets

voltagex · April 17, 2023, 8:16am

root@blackbox:/data# tcpdump -B2G -w ps5-1.pcap -nN -i wlan1
tcpdump: listening on wlan1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C54136 packets captured
58582 packets received by filter
4445 packets dropped by kernel

Is there any way I can reduce the number of dropped packets? I’ve cranked up the buffer and turned off name resolution and it’s writing to NVMe.

mcbridematt · April 18, 2023, 5:46am

Is it possible you could install netdata (opkg install netdata) and export a snapshot while you are doing the tcpdump?

If not, at least screenshot CPUs->utilization, CPUs->interrupts and the relevant network interface (Under Network interfaces).
What I am looking for is if there is any saturation of a single CPU core.

voltagex · April 18, 2023, 8:24am

Seems like I can’t upload here - should I email?

mcbridematt · April 18, 2023, 8:52am

Yes, please email it.

mcbridematt · April 29, 2023, 12:04am

@voltagex I managed to get tcpdump with PF_RING working!
The same issue came to bite us debugging a customer issue so I was extra motivated to get it working.

You’ll need to use this build:
https://archive.traverse.com.au/pub/traverse/ls1088firmware/openwrt/branches/22_03/852551817/image/

and install the tcpdump-pfring package.

Looks much better here:

root@OpenWrt:/tmp# tcpdump -B2G -nN  -i wlan1 -w wlan_cap_nopf.cap
tcpdump: listening on wlan1, link-type EN10MB (Ethernet), capture size 262144 bytes
1063170 packets captured
1484426 packets received by filter
421252 packets dropped by kernel
root@OpenWrt:/tmp# tcpdump-pfring -B2G -nN  -i wlan1 -w wlan_cap.cap
tcpdump-pfring: listening on wlan1, link-type EN10MB (Ethernet), capture size 262144 bytes
1060586 packets captured
1060586 packets received by filter
0 packets dropped by kernel

voltagex · April 29, 2023, 2:44am

Wow! Thanks.

Is this something you intend to keep in the main branch?

mcbridematt · April 29, 2023, 3:13am

Yes, it will be standard from now on.

I’ll be submitting it to OpenWrt’s package feed as well but need to clean up the Makefile’s and patches first.
Work in progress here: Mathew McBride / PF_RING tcpdump for OpenWrt · GitLab

voltagex · April 29, 2023, 4:25am

If I really push it running Speedtest and capturing the WAN port, I can still get drops but this is probably not a fair test.

root@blackbox:~# tcpdump-pfring -nN -B2G -w /data/pfring_test2.pcapng -i eth6
tcpdump-pfring: listening on eth6, link-type EN10MB (Ethernet), capture size 262144 bytes
1569537 packets captured
1664493 packets received by filter
94956 packets dropped by kernel

mcbridematt · May 1, 2023, 7:45am

I can see that too.

The performance seems to be a bit better (= I can’t cause it to drop capture packets as easily) under the OpenWrt master/5.15 kernel, but I would not advise jumping just yet.