[dsc] Duplicate packets captured (UNCLASSIFIED)

Kash, Howard M CIV (US) howard.m.kash.civ at mail.mil
Tue Jul 9 15:32:28 UTC 2013 

Classification: UNCLASSIFIED
Caveats: NONE


I believe the address(es) of the server (local_address values) are
automatically included in the BPF filter.  Also putting them in bpf_program
may result in duplicates?  Normally the bpf_program is just "port 53".


Howard


-----Original Message-----
From: dsc-bounces at measurement-factory.com
[mailto:dsc-bounces at measurement-factory.com] On Behalf Of Anand Buddhdev
Sent: Tuesday, July 09, 2013 11:01 AM
To: dsc at measurement-factory.com
Subject: [dsc] Duplicate packets captured

Hello DSC users,

We've noticed a strange issue with our DSC installation. We have a
CentOS 6 server, with libpcap 1.0.0 (part of the base CentOS
installation). We run multiple collectors, with configurations like these:

interface eth0;
local_address 193.0.9.X;
local_address 2001:67c:e0::X;
bpf_program "host 193.0.9.X or host 2001:67c:e0::X";
run_dir "/export/dsc/data.X";
pid_file "/var/run/dsc.X.pid";
minfree_bytes 5000000;

We run the collector like this: "dsc -f /etc/dsc.X.conf". We are not
using the "-p" option.

We know from our BIND server stats and from interface packet counts that
this server receives about 20,000 q/s in total to its various IP
addresses. However, our DSC graphs show this server as receiving over
70,000 q/s. The pcap_stats.dat files show:

1373241600 filter_received eth0:1116957 pkts_captured eth0:1064507
kernel_dropped eth0:52454
1373241660 filter_received eth0:1170577 pkts_captured eth0:1086713
kernel_dropped eth0:83863
1373241720 filter_received eth0:1179544 pkts_captured eth0:1114259
kernel_dropped eth0:65283

In comparison, on a similar box, which also receives about 20,000 q/s,
and with identical configuration for the collectors, the graphs show an
accurate query rate. Also, the pcap_stats.dat files show:

1373241600 filter_received eth0:28470 pkts_captured eth0:28470
1373241660 filter_received eth0:24789 pkts_captured eth0:24788
1373241720 filter_received eth0:28389 pkts_captured eth0:28385

Has anyone else experienced this phenomenon where the dsc collector is
counting packets more than once, and exaggerating the query rates? If
so, is it a libpcap issue or bug? Is there any known work-around?

Regards,

Anand
_______________________________________________
dsc mailing list
dsc at measurement-factory.com
http://www.measurement-factory.com/mailman/listinfo/dsc

Classification: UNCLASSIFIED
Caveats: NONE

More information about the dsc mailing list