Red Hat Bugzilla – Bug 1441597
tcpdump: tcpdump can not dump all packets.
Last modified: 2017-08-01 08:13:36 EDT
Description of problem: tcpdump can not dump all packets. when test a short tcp flow, the last packet is droped. tcpdump-4.5.1-3.el7.x86_64 and 3.10.0-637.el7.x86_64: pass tcpdump-4.9.0-3.el7.x86_64 and 3.10.0-637.el7.x86_64: fail Version-Release number of selected component (if applicable): tcpdump-4.9.0-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. server: #nc -l 7788 2. client: #tcpdump -i $interface port 7788 #echo hello| nc $dstip $dstport Actual results: 7 packets captured 8 packets received by filter 1 packet dropped by kernel >>> the packet is the last ACK. Expected results: no dropped packets Additional info: Another reproducer: this issue is found when run the case: it's a UDP flow with TOS. http://pkgs.devel.redhat.com/cgit/tests/kernel/tree/networking/socket/bugs/dscp-bz990694
The new version of tcpdump uses bigger snaplen by default, this is probably the root cause of this bug. Compare: Version 4.5.1: # tcpdump -i eth0 port 55555 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ... Version 4.9.0: # tcpdump -n -i eth0 port 55555 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ... Notice the difference in "capture size". When running with previously default snaplen it works just fine: # tcpdump -s 65535 -i eth0 port 55555 > /dev/null tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C8 packets captured 8 packets received by filter 0 packets dropped by kernel It also works fine when using bigger capture buffer (-B), no name resolution (-n) or writing to file (-w), so I guess that the name resolution process takes too long and the capture buffer is meanwhile overflowed. Also when you run the nc communication twice, it is captured fine the second time: # tcpdump -i eth0 port 55555 > /dev/null tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C15 packets captured 16 packets received by filter 1 packet dropped by kernel To sum up, I think this is a configuration issue not a bug, but if you want to make this work by default, we can reduce the snaplen size to its previous value.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:1871