Dropwatch to see where the packets are dropped in kernel stack ..

Ah…… Why I forgot to write about dropwatch ?

“Packets are dropped” , these strings are quite common in IT world, but how to prove it and where it is dropped ?

Till now, people were behind ‘netstat’ ( for ex:netstat -s ) utiilty to see it , but retrieving more information on where it is dropped was still a mystery for most of the people . Dropwatch helps here.
Dropwatch is a project drived by Neil Horman and in his own words, “to improve the visibility developers and sysadmins have into the Linux networking stack. Specifically I am aiming to improve our ability to detect and understand packets that get dropped within the stack. I’ve spent some time talking with many people about what they see as shorcommings in this area, and have come away with 4 points:

Consolidation: Finding dropped packets in the network stack is currently very fragmented. There are numerous statistics proc files and other utilities that need to be consulted in order to have a full view of what packets are getting dropped within the stack. Consolidating all these utilities into one place is very helpful

Clarity: Understanding which statistics and utility outputs correlate to actual dropped packets requres a good deal of knoweldge. Being able to simplify the ability to recognize a dropped packet is helpful

Disambiguation: There is a gap between the recognition of a dropped packet and its root cause. Several statistics can be incremented at multiple points in the kernel, and sometimes for multiple reasons. Being able to point out, with specificity where and why a packet was dropped decreases the time it takes for a admin or developer to correct the problem.

Performance: Checking the current user space utilities and stats for dropped packets is currently an exercise in polling. Its performance is sub-optimal and makes sysadmins hesitant to implement investigations on production systems due to potential performance impact. Improving performance would make admins more likely to use the tools to diagnose the problems.

Normally, monitoring for dropped packets requires the creation of a script that periodically polls all the aformentioned interfaces, checking for a change in various counter values. Dropwatch instead listens on a netlink socket for the kernel to inform userspace (apps like dropwatch and any others), that a packet has been dropped. This of course implies that the kernel has some sort of functionality to this end.”

The dropwatch behaviour can be mimic’d by placing probes on ‘kfree_skb’ and printing ‘symnames’ and ‘count’ as seen here www.sourceware.org/systemtap/examples/network/dropwatch.stp

Dropwatch is available in fedora and can be used to find out dropped packets :

More details can be found in below Urls:


How to use it:

I had installed dropwatch package in my Fedora-16 system :

#yum install dropwatch.

Once it is installed, you can use dropwatch with any of the swtiches mentioned here:

So, here onwards use it and have a good visibility at packet drop..




2 Replies to “Dropwatch to see where the packets are dropped in kernel stack ..”

Leave a Reply

Your email address will not be published. Required fields are marked *