Vern Paxson vern at icir.org
Fri Jan 3 23:31:38 PST 2003

>   You could also just watch the variable 'drop' returned by pcap_stats( 
> ) to see if there are drops.

Yes, but only on some systems, and for some types of drops.  As you mention,
on some systems it's not accurate, due to kernel bookkeeping deficiencies,
or because loss occurs on the NIC (which can't always correctly report it)
or at the tap rather than in the kernel.


More information about the Bro mailing list