Tips & tricks when tcpdump:ing at high speeds... Ever experienced drop packets when trying to capture a stream of traffic using tcpdump? I know I have and it's quite annoying, isn't it? Here's a few tricks to keep those packets from hitting the floor.
Increase the size of your receive socket buffers:
echo 8388608 > /proc/sys/net/core/rmem_max echo 8388608 > /proc/sys/net/core/rmem_default
8388608 is more of a guess than something I've reached through scientific methods and so another value might be more appropriate, but just increasing it way above the default certainly improves things.
Use the 'buffer' program, something along the lines of :
tcpdump -eni eth0 -s0 -w - | buffer -t -S 1k -s 8k -o my-tcpdump.pca
has worked rather nicely for me so far. Giving exact numbers on how many packets or bytes I can capture per second would only be silly since it's varies by machine, but the above tricks has increased the throughput quite a lot for me. Happy tcpdump:ng! :D