7

I have a problem with my networking performance. I am using Ubuntu 16.04 on VMware Cloud Server with NIC E1000. But I see some packets dropped in sections of ifconfig command:

root@ubuntu:~# ifconfig ens192
ens192    Link encap:Ethernet  HWaddr 00:50:56:03:25:14  
          inet addr:192.16.1.100  Bcast:192.16.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:574749 errors:0 dropped:83 overruns:0 frame:0
          TX packets:76478 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44109471 (44.1 MB)  TX bytes:19484534 (19.4 MB)

Although it just some packets dropped but my server is running a real-time game online, so you know it impacts my clients that are connecting to it.

I have done in some researching and exploring information on Google, after that I tried to change config file for buffer ring, max windows size, and so on. But it still drops my packets.

So, now I want to capture packets that dropped for analyzing what type of packets exactly it is.

I also tried this capture for my view in wireshark:

sudo tcpdump -i ens192 -n -w /var/www/html/logs.pcap -C 1 -Z root

But I don't think I can see what packets are dropped! I think packets dropped is ignored before going to the filter of tcpdump.

Can you suggest me what method to capture "dropped packets" above (dropped:83)?

Thanks in advance!

Ben Mathews
  • 113
Joey
  • 793

2 Answers2

4

The problem can be with tcpdump itself: If it doesn't respond quickly enough then old packets will be overwritten with new ones, which means that they are dropped.

If you capture all the bytes of each packet, it's very easy to overrun the kernel's packet capture buffer. The symptoms of this overrun are that your packet trace program will report that it dropped packets.

In the case of tcpdump, it prints a summary of how many packets were captured, filtered, and dropped when you stop the capture. For example:

$ sudo tcpdump -i en0 -w trace.pcap
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
94 packets captured
177 packets received by filter
0 packets dropped by kernel

If the dropped count is non-zero, you need to increase the packet capture buffer size by passing the -B option to tcpdump. Try it also without a capture file, to see if this improves the capture ratio.

harrymc
  • 498,455
2

Your questions seems to pertain to going back and finding out what might have caused a previous packet to drop rather than attempting to capture real time packets to try to find one that drops. For the latter, harrymc's answer should be able to eventually capture one that you're looking for.

To go back and look into what might be happening at that interface, you have to understand that those headers you're seeing for RX packets:574749 errors:0 dropped:83 overruns:0 frame:0 are simply summaries of underlying counters.

From my comment, I would recommend using the ethtool command/package from this answer to analyze some of the counters to see if you can find something that appears out of place.
ethtool -S ens192

From the broadcom drivers source file, we see tp->rx_dropped++; for a few separate occasions in the file. 1 2 3 Any one of these or more (depending on your exact NIC and underlying drivers) contribute to what could be causing dropped packets.

To ease your mind, your server is dropping less than 0.015% of packets received based on your output above. Your clients wouldn't notice any server interruption or even jitter until your drop rate/error rate climbs above 1%. Even then, it would be hardly noticeable. TCP will take care of any of the re-transmissions required.

Will
  • 1,492
  • 1
  • 9
  • 27