tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capture on many interfaces with pcap

From: "Fulvio Risso" <fulvio.risso () polito it>
Date: Sun, 18 Apr 2004 16:58:49 +0200
In Windows, you can use the pcap_next_ex() with a timeout of "0".
   http://winpcap.polito.it/docs/docs31beta/html/group__wpcapfunc.html#a23

You can have a sequence of pcap_next_ex(), one for each network interface,
within the same thread.
I don't know what happens in linux (although I expect the same behaviour of
Windows).

Cheers,

        fulvio


-----Original Message-----
From: tcpdump-workers-owner () lists sandelman ca
[mailto:tcpdump-workers-owner () lists sandelman ca]On Behalf Of Andreas
Rieke
Sent: domenica 18 aprile 2004 14.16
To: tcpdump-workers () tcpdump org
Subject: [tcpdump-workers] Capture on many interfaces with pcap


Hi,

I am using pcap/WinPcap to capture traffic on linux and windows
operating systems. I need to work on several interfaces in parallel and
expect high load, however, as the filter function should drop more than
99 percent of the traffic, receiving packets from pcap should not be the
problem.
My design criteria are
- to process high load on the interfaces without dropping packets,
- to have stable processes/threads and
- to avoid polling because 100 % CPU load is not acceptable.

I see at least three ways to proceed with this job:
1. Call pcap_open_live for each interface within a single process/thread
and wait for packets using the select/WaitForMultipleEvents or
WaitForMultipleObjects function: In this case, I expect a stable process
because we need no threads, but I am not sure about performance.
2. Create a thread for each interface and process packets with callback
functions within the threads: Although I have heard that pcap/WinPcap
should be thread-safe, I am not sure about that and thus expect
stability problems. It should be quite simple to be thread-safe as long
as only one interface is used, but what about pcap running on several
interfaces in parallel? Additionally, under linux, I do not know whether
to use linux threads (clone) or posix threads (pthreads) for this job.
3. Handle each interface in an own process: Although this approach
should support both high stability with high performance, I do not like
it too much because a single process (with or without threads) better
fits in my application.

Are there any other ways to go? Did anybody already make experiences
with one of these approaches?

Regards,

Andreas


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: