https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146232#M24232 <P>The "packets dropped by kernel" just means that captured packets streamed into tcpdump's buffer faster than they could be emptied and were lost for purposes of being captured.&nbsp; You did not actually lose any traffic being processed by the firewall as traffic is copied (or "T"'ed) at the NIC driver level into tcpdump's buffer, and the original packet continues on and is not lost.</P> <P>I believe the default size of tcpdump's buffer is 32767 KiB (32MB), you could try increasing it via the -B option to something like 65536 and see if that eliminates the kernel drops.&nbsp; Or try to apply a more stringent filter in your tcpdump syntax.</P> <P>Or best of all just use cppcap instead.</P> Wed, 13 Apr 2022 20:28:29 GMT Timothy_Hall 2022-04-13T20:28:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146225#M24231 <P>Hi Mates,</P> <P>We have syslog traffic passing through firewall. It is Tons of traffic. Syslog admin was saying that he is not getting enough data from all devices.&nbsp;</P> <P>When I captured tcpdump traffic on firewall, it shows only 7 to 8 packets but at the end it shows,</P> <P>9 packets captured</P> <P>2633 packets received by filter</P> <P>2448 packets dropped by kernel</P> <P>&nbsp;</P> <P>I am not seeing any drops with fw ctl zdebug command. Sometime capture says "buffer full". We dont want to increase buffer size. Is there any suggestion how we can resolve this (dropped by kernel) issue?</P> <P>There is no issue with route or flow. syslog receives data but it is not enough,&nbsp;&nbsp;</P> Wed, 13 Apr 2022 18:36:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146225#M24231 Gaurav_Pandya 2022-04-13T18:36:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146232#M24232 <P>The "packets dropped by kernel" just means that captured packets streamed into tcpdump's buffer faster than they could be emptied and were lost for purposes of being captured.&nbsp; You did not actually lose any traffic being processed by the firewall as traffic is copied (or "T"'ed) at the NIC driver level into tcpdump's buffer, and the original packet continues on and is not lost.</P> <P>I believe the default size of tcpdump's buffer is 32767 KiB (32MB), you could try increasing it via the -B option to something like 65536 and see if that eliminates the kernel drops.&nbsp; Or try to apply a more stringent filter in your tcpdump syntax.</P> <P>Or best of all just use cppcap instead.</P> Wed, 13 Apr 2022 20:28:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146232#M24232 Timothy_Hall 2022-04-13T20:28:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146264#M24233 <P>Hi Tim,</P> <P>Thanks for the explanation. Actually I was confused because I was not able to capture any packet with fw monitor as well but as it is R80.30 version, I need to use "fw monitor -F" syntax to capture traffic. Now all is set.</P> <P>Thanks.</P> Thu, 14 Apr 2022 09:39:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146264#M24233 Gaurav_Pandya 2022-04-14T09:39:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146270#M24234 <P>Yes if you can live with <STRONG>fw monitor -F</STRONG>'s extremely limited filtering syntax that will work too.</P> Thu, 14 Apr 2022 11:50:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Capture-shows-packet-drops-by-kernel/m-p/146270#M24234 Timothy_Hall 2022-04-14T11:50:08Z