diff options
| author | guy <guy> | 2003-09-16 21:02:51 +0000 |
|---|---|---|
| committer | guy <guy> | 2003-09-16 21:02:51 +0000 |
| commit | 563344d11781660bf34ac611ab8d690272ca99e7 (patch) | |
| tree | fbb2c9f008c5ed815f377b151934a62ae296af9e /tcpdump.1 | |
| parent | f8751069031ea09bb110464c292d23528abad092 (diff) | |
| download | tcpdump-563344d11781660bf34ac611ab8d690272ca99e7.tar.gz | |
Add to the packet counts a count of packets that tcpdump has seen and
processed - people often get confused by the "received by filter" count,
as they might not realize that, in some systems, it counts packets that
were handed to the filter mechanism regardless of whether they pass or,
if they pass, they have yet been read by the application and, on some
other systems, it counts packets that passed the filter but still counts
them in the kernel before they're read by the application.
They're probably mostly interested in the count of packets processed by
tcpdump; the "received by filter" count is probably of interest only if
you want to know how effective your filter is (and even then it's of
interest only if it counts packets handed to the filter rather than
packets that passed the filter).
Give more details on why the "received by filter" count doesn't
necessarily mean what you think it means.
Diffstat (limited to 'tcpdump.1')
| -rw-r--r-- | tcpdump.1 | 15 |
1 files changed, 12 insertions, 3 deletions
@@ -118,14 +118,23 @@ When .I tcpdump finishes capturing packets, it will report counts of: .IP +packets ``captured'' (this is the number of packets that +.I tcpdump +has received and processed); +.IP packets ``received by filter'' (the meaning of this depends on the OS on which you're running .IR tcpdump , and possibly on the way the OS was configured - if a filter was specified on the command line, on some OSes it counts packets regardless -of whether they were matched by the filter expression, and on other OSes -it counts only packets that were matched by the filter expression and -were processed by +of whether they were matched by the filter expression and, even if they +were matched by the filter expression, regardless of whether +.I tcpdump +has read and processed them yet, on other OSes it counts only packets that were +matched by the filter expression regardless of whether +.I tcpdump +has read and processed them yet, and on other OSes it counts only +packets that were matched by the filter expression and were processed by .IR tcpdump ); .IP packets ``dropped by kernel'' (this is the number of packets that were |