[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Tcpdump problem


I have a system with debian sid, 2.6.10-5 debian kernel. I notice that
the ksoftirqd/0 is highly using the CPU, the idle is somewhere arround
1.6% or less. On the system is a bridge with 3 interfaces, only one
connected to network. There was an attack from a computer, and i
blocked the MAC with arptables and ebtables. Before, the arptables
filters worked, and the attacker couldnt attack anymore. But now with
this bridge and ebtables + arptables filters, that mac is showed in
brctl showmacs. I can't know for sure who is the attacker, because the
damn tcpdump shows lots of dropped packets, like this:

13 packets captured
9360 packets received by filter
9227 packets dropped by kernel

>From manual it seems it has to do with the buffer length used by
kernel for packets capturing. Is there a posibility to make tcpdump
log all packets ? so i can know what is killing the CPU?

Also, is it normal to have that much cpu use with so few packets, at
most 20 000/s, before the system didn't care much for even 50 000/s .
On that moment it was some 2.6.10-rc2 with mm patch. The CPU is P4 at
1.6GHz. On a machine (no bridge) with 2.6.10-4 debian kernel and much
more packets, but p4 at 3Ghz with HT, the idle is 80%.

I also have a machine with vanilla 2.6.10 and a bridge with 3
interfaces, being the core of an 500 lan computers, the idle is 98 or
99% .
Bla bla

Reply to: