Argus management records
Peter Van Epp
vanepp at sfu.ca
Thu Nov 15 17:47:01 EST 2007
On Thu, Nov 15, 2007 at 10:21:38PM +0000, Carter Bullard wrote:
> The dropped packets are reported by the libpcap interface, so you won't see them using ifconfig. Why there are reported drops is not always clear, but if it is chronic, you may need to modify something, either more machine, not having argus write to a file, etc .....
>
> You should be able to graph it using "drop" but "sport" should do it too?
>
> Carter
>
>
>
>
> Carter Bullard
> QoSient LLC
> 150 E. 57th Street Suite 12D
> New York, New York 10022
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
The pcap drop counter gets incremented when the kernel is adding a
new packet to the pcap buffer that will overwrite an older packet that hasn't
been read yet. More CPU is one answer (so it gets read faster) sometimes
using the sysctl (at least on FreeBSD) to increase the size of the pcap buffer
helps. If you are on linux one of the PF-ring kernel from www.ntop.org or
the similar one from the tcpdump folks at lbl will help (the PF-ring kernel
is what I'm using). On FreeBSD
/sbin/sysctl net.bpf.bufsize=524288
will boost the buffer to its max size.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list