This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gaurav_Pandya
Advisor
‎2022-04-13 11:36 AM

Capture shows packet drops by kernel

Hi Mates,

We have syslog traffic passing through firewall. It is Tons of traffic. Syslog admin was saying that he is not getting enough data from all devices. 

When I captured tcpdump traffic on firewall, it shows only 7 to 8 packets but at the end it shows,

9 packets captured

2633 packets received by filter

2448 packets dropped by kernel

 

I am not seeing any drops with fw ctl zdebug command. Sometime capture says "buffer full". We dont want to increase buffer size. Is there any suggestion how we can resolve this (dropped by kernel) issue?

There is no issue with route or flow. syslog receives data but it is not enough,  

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2022-04-13 01:28 PM

The "packets dropped by kernel" just means that captured packets streamed into tcpdump's buffer faster than they could be emptied and were lost for purposes of being captured.  You did not actually lose any traffic being processed by the firewall as traffic is copied (or "T"'ed) at the NIC driver level into tcpdump's buffer, and the original packet continues on and is not lost.

I believe the default size of tcpdump's buffer is 32767 KiB (32MB), you could try increasing it via the -B option to something like 65536 and see if that eliminates the kernel drops.  Or try to apply a more stringent filter in your tcpdump syntax.

Or best of all just use cppcap instead.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Gaurav_Pandya
Advisor
‎2022-04-14 02:39 AM
In response to Timothy_Hall

Hi Tim,

Thanks for the explanation. Actually I was confused because I was not able to capture any packet with fw monitor as well but as it is R80.30 version, I need to use "fw monitor -F" syntax to capture traffic. Now all is set.

Thanks.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-04-14 04:50 AM
In response to Gaurav_Pandya

Yes if you can live with fw monitor -F's extremely limited filtering syntax that will work too.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events