Hello! > handle huge pipes like ATM. There were already some complaints that=20 > tcpdump does not show every packet (probably because the receive queue > is overrun) going over a link.=20 Use getsockopt(PACKET_STATISTICS) to get drop statistics. See the patch. Mapped packet socket shows places where packets were lost exactly, by the way. Seems, I did not use this even in the patch, because I stopped to update it after tcpdump.org fork. > I want tcpdump to use the turbo packet feature and if the filter does > not truncate the packet the full data is copied into user space No! You pass snap size length to recvmsg(). If you want to know original packet length, you pass MSG_TRUNC flag to recvmsg(), then return value will be real packet length. Again, see the patch. For mmaped socket snap length is set separately. BTW it is not universal solution, it is good only for small snap sizes. > It currently has to work with kernel 2.0.x as well Mama mia. Old good LBNL tcpdump is enough to satisfy people using 2.0. You lose your time, nothing more. > Point taken. But those inconveniences can be fixed in small steps instead > of having a huge patch which does everything at once. I use tcpdump for... I do not remember. When you do small steps for 5 years, you arrive to huge patch. 8) > I wonder if the default snaplen you are using (144) is right for all > interfaces. It is enough to debug almost everything, which I had to deal with. > Isn't there an interface with a longer header than ethernet? Of course, they are. Only with SOCK_DGRAM all the interfaces are ethernet yet. 8) > everything on a fast device can still use "-s". Rather to reduce binary dump size. 8) Alexey - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
