Hey linux kernel / #infosec people, help me out a bit here.
It has been told to me, without evidence but by a person I do not consider a fool, that raw-socket based sniffer in linux on recent kernels would be "unreliable under load" and "miss some packets under load"
Bullshit?
-
-
Replying to @0K_ultra
There is a reason for tcpdump printing "packets dropped by kernel". If, under load, you are not processing captured packets fast enough, the kernel will drop some of them. See also https://unix.stackexchange.com/a/144810/17611 (Not
#infosec here.)1 reply 0 retweets 3 likes -
Replying to @vzeman79
well, I know packets can be dropped by kernel but my understanding was that they are dropped into nothing ) Here the claim was that they would be "missed by sniffer" but still proceed down to some other states/destinations, which I think is "not a thing"
1 reply 0 retweets 0 likes -
kernel has a specific buffer for the packet capture mechanism separate from the actual comms handling
1 reply 0 retweets 1 like -
Replying to @chaosprime @vzeman79
and a raw socket is handled using that buffer and not "general comm" one? Fascinating.
1 reply 0 retweets 0 likes
dunno, that buffer is why tcpdump would lose packets that the network stack didn't, idk how the raw socket approach is implemented
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.