Skip to main content
The dropmon profile provides drop monitor functionality, reporting packets being dropped including stack traces to understand what those packet flows were doing in the stack.

What it enables

Probes

  • tp:skb:kfree_skb/stack - Traces the kernel function that frees socket buffers with stack trace collection enabled

Collectors

The dropmon profile enables several collectors to provide comprehensive drop information:
  • skb-drop - Drop reason information
  • skb - Socket buffer metadata (packet headers, addresses)
  • dev - Device/interface information
  • ns - Network namespace information

Usage

Basic collection

retis -p dropmon collect

Collect and store for later analysis

retis -p dropmon collect -o

Generate pcap from stored events

retis -p dropmon pcap -o retis.pcap
The same profile can be used with both the collect and pcap commands, making it easy to convert drop events into pcap format for analysis in tools like Wireshark.

Use cases

  • Drop investigation: Understanding why packets are being discarded
  • Performance troubleshooting: Identifying unexpected packet loss
  • Firewall debugging: Seeing where security policies drop packets
  • Resource exhaustion: Detecting drops due to buffer limits

Example output

The dropmon profile captures detailed information about dropped packets: 
4152973315243 [nc] 14839 [tp] skb:kfree_skb drop (NO_SOCKET)
    bpf_prog_88089ccd9794be3a_sd_devices+0x3601
    bpf_prog_88089ccd9794be3a_sd_devices+0x3601
    bpf_trace_run3+0x52
    kfree_skb_reason+0x8f
    tcp_v6_rcv+0x77
    ip6_protocol_deliver_rcu+0x6b
    ip6_input_finish+0x43
    __netif_receive_skb_one_core+0x62
    process_backlog+0x85
    __napi_poll+0x28
    net_rx_action+0x2a4
    __do_softirq+0xd1
    do_softirq.part.0+0x3d
    __local_bh_enable_ip+0x68
    __dev_queue_xmit+0x28b
    ip6_finish_output2+0x2ae
    ip6_finish_output+0x160
    ip6_xmit+0x2c0
    inet6_csk_xmit+0xe9
    __tcp_transmit_skb+0x535
    tcp_connect+0xb95
    tcp_v6_connect+0x515
    __inet_stream_connect+0x10f
    inet_stream_connect+0x3a
    __sys_connect+0xa8
    __x64_sys_connect+0x18
    do_syscall_64+0x5d
    entry_SYSCALL_64_after_hwframe+0x6e
  if 1 (lo) rxif 1 ::1.36986 > ::1.8080 ttl 64 label 0x975b1 len 40 proto TCP (6) flags [S] seq 2899194670 win 65476
In this example:
  • A TCP SYN packet from ::1.36986 to ::1.8080 was dropped
  • The drop reason is NO_SOCKET - no listening socket on port 8080
  • The stack trace shows the packet went through the TCP receive path before being dropped
  • The full packet headers are included for context

Understanding the output

Drop reason: The kernel provides a reason code (e.g., NO_SOCKET, POLICY, NO_ROUTE) explaining why the packet was dropped. Stack trace: Shows the call chain leading to the drop, helping identify:
  • Which kernel function initiated the drop
  • What path the packet took through the network stack
  • Whether the drop was in BPF, iptables, routing, etc.
Packet metadata: Interface, addresses, protocol, and flags provide context about what was dropped.

When to use dropmon

Choose the dropmon profile when:
  • Packets are mysteriously disappearing
  • You need to understand drop patterns and causes
  • You’re debugging connectivity issues
  • You want to identify unwanted drops in production

Build docs developers (and LLMs) love

Get started for freeTalk to us