What data is not available for tcpdump unlike interface statistics tools?

Question

I'm analizing the logs on specific interface and wondering why this command during small load-test:

tcpdump -i enp21s0f0 -s0 -w /tmp/dump2.cap`

catched only 75 MB, when

ethtool -S enp21s0f0 / ifconfig enp21s0f0

showed about 80 MB of data(I compared rx_bytes&tx_bytes before and after the test to get this value).

After that I did the same test for one ARP packet(for several times) and tcpdump catched 64 bytes, but ethtool showed 68 bytes. So, what contains in these 4 bytes and is it possible to catch these bytes? Or, at least, to prognize them?

score 0 · Accepted Answer · answered Nov 09 '17 at 15:59

The reason is the traffic added by NIC driver, visible only between two interfaces:

Large segment offload
Frame check sequence

It's possible to get this traffic by tcpdump after applying the commands:

ethtool --offload enp21s0f0 rx off tx off
ethtool -K enp21s0f0 rx-fcs on

What data is not available for tcpdump unlike interface statistics tools?

1 Answers1