Rich Salz wrote: >> presumably some output queue was getting overrun and messages >> were silently discarded - my sendto(...) code never returned an error, >> by the way... > >UDP packets aren't acked, so if the server couldn't keep up and was >dropping them, that's the behaviour you'd expect. I measured this back in the early 90's and I bet it hasn't changed since then. The problem isn't that the server can't keep up, it's that the kernel discards the packets before they even get to the input cycle of the server. There have been huge changes in the various BSD kernels but I bet it's still the same thing. What I observed was that if I sent 10,000 UDP syslogs from machine 'A' to server 'B' and had machine 'C' running tcpdump to count them I only saw machine 'A' transmit a few hundred. The client side code on 'A' (as you say) didn't register an error because UDP isn't required to. What was happening was there was a queue max depth on the interface output queue that was getting overrun and the kernel was just chucking the packets. TCP retransmits took care of making sure things worked for TCP(with a big thruput hit) but the UDP got silently lost. My informal testing last night seems to show that the same thing still happens. This is _correct_ behavior for a UDP application so it's not surprising. mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 07:06:27 PST