2

This is the way I see it.

A copy of the network activity is written to a buffer, and snoop reads from the buffer. As long as snoop is able to get the data out fast enough (writing directly to a file is faster than writing to a terminal or a bziper), then the buffer will never fill up.

But if there is a high volume of network activity, and snoop can't write it out fast as it comes in (for whatever reason), then snoop has to wait, therefore the original buffer gets full.

If the buffer gets large, what happens?

  • In favor of maximum throughput, the buffer grows, indefinitely. :-/
  • In favor of low memory usage, some data might be excluded. :-o
  • In favor of stable results, the network I/O is bottle-necked until there is more room in the buffer. B-)

I am particularly interested in Solaris, but information on other UNIX systems would be interesting.

700 Software
  • 2,163
  • 9
  • 47
  • 77

1 Answers1

2

I think that packets get dropped by snoop in favour of not delaying them during times of high activity.

Snoop provides the -D switch to display the number of packets dropped during capture.

The -s snaplen switch can be used to truncate packet capture after snaplen bytes and means there is less chance of buffer overflow during high traffic periods.

The warnings section of the man page says this too

The processing overhead is much higher for realtime packet interpretation. Consequently, the packet drop count may be higher. For more reliable capture, output raw packets to a file using the -o option and analyze the packets off line.

user9517
  • 114,104
  • 20
  • 206
  • 289