Why does tcpdump capture only half the packets that is received by the filter?

Question

OS:Ubuntu 16.04

I created some packets using Scapy packet creator tool. The destination address for the packets is my localhost (ie) 127.0.0.1

    while(True):
         packet = IP(src='127.0.1.1',dst="127.0.0.1")/TCP(dport=80)/"from scapy packet"
         send(packet)
         print "tcp sent"

Now,when i run a tcpdump on my machine and stop after some time, the packets captured is only half the number of packets received by the filter, but none of the packets are dropped. Here is the output of tcpdump:

 sudo tcpdump -i any dst 127.0.0.1

 OUTPUT:
     119 packets captured
     238 packets received by filter
     0 packets dropped by kernel

Even if i run tcpdump -i lo , i get the same problem. Using tshark instead of tcpdump also displays the same number of packets captured.

Why does this happen? Is it due to small tcpdump buffer size? How can i capture rest of the packets?

Martín Gómez · Answer 1 · 2017-10-20T20:03:34.523

From the tcpdump manual page:

When tcpdump finishes capturing packets, it will report counts of:

packets captured (this is the number of packets that tcpdump has received and processed);

packets received by filter (the meaning of this depends on the OS on which you're running tcpdump, and possibly on the way the OS was configured - if a filter was specified on the command line, on some OSes it counts packets regardless of whether they were matched by the filter expression and, even if they were matched by the filter expression, regardless of whether tcpdump has read and processed them yet, on other OSes it counts only packets that were matched by the filter expression regardless of whether tcpdump has read and processed them yet, and on other OSes it counts only packets that were matched by the filter expression and were processed by tcpdump);

packets ``dropped by kernel'' (this is the number of packets that were dropped, due to a lack of buffer space, by the packet capture mechanism in the OS on which tcpdump is running, if the OS reports that information to applications; if not, it will be reported as 0).

http://www.tcpdump.org/tcpdump_man.html

Thus, I guess that, in your case, 238 packets were capture and 119 of them passed the filter (had localhost as destination). This is because packets are captured twice (leaving and arriving at the same interface) and tcpdump removes these duplicates. The same happens if you try to ping to 127.0.0.1.

Maybe the packet was captured twice (leaving and arriving at the same interface) and tcpdump ignores identical packets. — Martín Gómez, Oct 20 '17 at 19:57

Why does tcpdump capture only half the packets that is received by the filter?

1 Answers1

Linked