ifdump profile collects packets just after the device driver in ingress and right before the device driver in egress. This is similar to many well-known packet capture utilities that use AF_PACKET.
What it enables
Probes
The ifdump profile uses two strategic probe points:tp:net:netif_receive_skb- Captures packets immediately after the device driver receives themtp:net:net_dev_start_xmit- Captures packets right before they are transmitted by the device driver
Collectors
The profile uses the default collectors enabled by Retis, which typically include basic packet metadata.When not using a profile and no user-defined collectors or probes are specified,
retis collect uses these same probes automatically.Usage
Use cases
- Traditional packet capture: Similar to tcpdump or wireshark
- Interface-level monitoring: Seeing exactly what enters and leaves network interfaces
- Driver debugging: Understanding packets at the hardware boundary
- Baseline comparison: Creating a reference capture similar to other tools
Example output
The ifdump profile captures packets at the device boundary:- The first event shows an ICMPv6 echo request (type 128) being transmitted on interface wlp82s0
- The second event shows the corresponding echo reply (type 129) being received on the same interface
- Both events show the raw packet at the device driver boundary
When to use ifdump
Choose the ifdump profile when:- You need packet-level visibility similar to traditional capture tools
- You want to see packets before any kernel processing
- You’re debugging device driver issues
- You want minimal overhead with focused capture points