When tcpdump drops to many packets ....

I had a machine within a gigabit ethernet environment and tried to check the network traffic with

tcpdump -i eth0

The outcome was staggering:

45 packets captured
7509 packets received by filter
7392 packets dropped by kernel

This is quite a high packet loss rate. After some “debugging” I found that tcpdump tries to look up the domain names for all the IP addresses it sees. So therefor it’s necessary to use the -n option:

tcpdump -i eth0 -n

does result in

27105 packets captured
29008 packets received by filter
1893 packets dropped by kernel

This is better but there is still some packet loss left due to tcpdump writing all it’s output to the terminal. If you do use a slow painting terminal (like the KDE konsole), then you will see quite a high packet loss. In order to avoid this, you must redirect the output to file using

tcpdump -i eth0 -n > output.txt

which does result in

43332 packets captured
43332 packets received by filter
0 packets dropped by kernel