0

I have a server with a network interface connected to a switch port that is configured to mirror all the traffic that goes through the switch, which means that if I run tcpdump on that interface I see a lot of packets.

The strange thing is that all these packets don't show up in the interface statistics, neither as "received" nor as "dropped". Why aren't they being counted?

Homer5439
  • 1

1 Answers1

1

They aren't counted as received because they aren't being received. The interface won't receive packets that aren't sent to an Ethernet hardware address it owns. They aren't counted as dropped because they aren't being dropped. A packet would have to be eligible to be received in order for it to be dropped.

To the interface, the packets are just background noise. The effect is the same as if the device were connected to a hub rather than a switch.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • That makes sense, thanks. Does that mean that they would be counted if I set the interface to promiscuous mode? – Homer5439 Dec 19 '11 at 14:44
  • Ok, I tried it and in promiscuous mode they are counted indeed. Still, they are counted as "received" even if there's no application to read them. What, then, is considered "dropped"? – Homer5439 Dec 19 '11 at 15:01
  • A packet is "dropped" if the system was unable to process it. For example, if the network interface's buffers overflow, packets will be dropped. – David Schwartz Dec 19 '11 at 15:09
  • Thanks. So I guess there's no way to see stats about packets that were dropped at higher level (eg, no application listening on socket and the like)? – Homer5439 Dec 19 '11 at 15:18
  • Those packets are not dropped. They're processed and, if appropriate, responded to. – David Schwartz Dec 19 '11 at 15:20