Detect packet drops
elof2 at sentor.se
elof2 at sentor.se
Tue Oct 25 10:17:17 EDT 2011
Hi Carter and list!
Is there any way to easily detect loss in SPAN-traffic?
If I mirror two 1 Gbps full-duplex ports to a 1 Gbps SPAN port, in theory
the switch could try to copy 4 Gbps onto it, resulting in dropped packets.
The sniffer machine receiving the mirrored traffic could be heavily loaded
and drop packets.
In protocols such as TCP, these drops are detectable, due to gaps in the
sequence counters.
Generating a pcap-file, scp:ing it to a machine running wireshark and then
looking at the expert info is such a hassle. I'm looking for a commandline
tool that show me when packets are missing (by printing a * for every
missed packet) or giving me an estimated ratio of drops per minute.
Is there such a tool?
I'm guessing that argus can't help me, since it doesn't distinguish
between loss and retransmissions in the 'flgs' field:
* - Both Src and Dst loss/retransmission
s - Src loss/retransmissions
d - Dst loss/retransmissions
/Elof
More information about the argus
mailing list