This might be too fundamental to answer, but I would like to know
when will the 'dropped' value in the output of /sbin/ifconfig be counted up.
I have tried setting up a firewall using iptables with a very simple rule like
the following:
<samle>
# iptables -A INPUT -p tcp --dport 80 -j DROP
When trying to connect from the other host through tcp port 80, there
was no response, which is expected.
However, the 'dropped' value was note added up even the packet is dropped.
Any comment would be greatly appreciated.
--
Sincerely,
Jyo
02-25-2010, 12:31 PM
Xavier Parizet
The 'dropped' value in /sbin/ifconfig output
On 02/25/2010 02:11 PM, Kan-I Jyo wrote:
> Dear list,
>
> This might be too fundamental to answer, but I would like to know
> when will the 'dropped' value in the output of /sbin/ifconfig be counted up.
>
> I have tried setting up a firewall using iptables with a very simple rule like
> the following:
>
> <samle>
> # iptables -A INPUT -p tcp --dport 80 -j DROP
>
> When trying to connect from the other host through tcp port 80, there
> was no response, which is expected.
>
> However, the 'dropped' value was note added up even the packet is dropped.
Well, you're talking about two different things:
the dropped value in ifconfig output is related to Ethernet packet which
would be dropped by hardware.
The target DROP of iptables tells to the kernel to drop the packet at
software level.
If you want to see the dropped packet statistics on software level (ie
iptables), run iptables -v -L .
2010/2/25 Xavier Parizet <xav@gentooist.com>:
> Well, you're talking about two different things:
> the dropped value in ifconfig output is related to Ethernet packet which
> would be dropped by hardware.
Yeah, you have made the things clear to me. I just wondered why would I
mess them up.
So, in my understanding, those packets that are dropped by iptables in fact
have been received by the NICs, and that is the reason the "dropped'
value are not added up.
And here comes my original question: When will the 'dropped' count up?
(Just want to know some general ideas)
--
Sincerely,
Jyo
02-25-2010, 03:02 PM
Xavier Parizet
The 'dropped' value in /sbin/ifconfig output
On 02/25/2010 04:36 PM, Kan-I Jyo wrote:
> Hello, Xavier
>
> Thank you for your prompt reply.
>
> 2010/2/25 Xavier Parizet <xav@gentooist.com>:
>> Well, you're talking about two different things:
>> the dropped value in ifconfig output is related to Ethernet packet which
>> would be dropped by hardware.
>
> Yeah, you have made the things clear to me. I just wondered why would I
> mess them up.
>
> So, in my understanding, those packets that are dropped by iptables in fact
> have been received by the NICs, and that is the reason the "dropped'
> value are not added up.
>
> And here comes my original question: When will the 'dropped' count up?
> (Just want to know some general ideas)
Network failure / packet loss / invalid ethernet frames / any hardware
related failures which will lead to a packet drop by the hardware
itself. It's a means for the hardware to report to the kernel/software
that it ignored some packets for any reason, these reasons should be
found in dmesg afaik.
The 'dropped' value in /sbin/ifconfig output
