Re: single packet capture time w/pcap vs. recvfrom()

[Guy Harris <guy () alum mit edu>]

On May 23, 2004, at 6:37 PM, Brandon Stafford wrote:

>     I'm writing a server that captures UDP packets and, after some 
> manipulation, sends the data out the serial port. Right now, I'm using 
> recvfrom(), but it takes 20 ms to execute for each packet captured. I 
> know that tcpdump can capture packets much faster than 20 ms/packet on 
> the same computer, so I know recvfrom() is running into trouble, 
> probably because of bad checksums on the packets.
>
>     Is it a good idea to rewrite the server using pcap,

It depends on the purpose of the server.

If a received packet has a bad IP header or UDP checksum, it should get 
discarded at the IP or UDP layer, so that your application would 
*never* see it, not just see it after 20ms.  If something out there 
causes the sender of the packet to retransmit it because it received no 
acknowledgments (because it was discarded by the IP or UDP layer, and 
thus not presented to a layer that would acknowledge it), with that 
happening after 20ms, then, if you use libpcap to read the packets, 
you'll see the initial bad packet *and* the retransmission.

If that's what you want - i.e., if the server is supposed to log all 
the UDP packets in question, even if they have a checksum error - then 
it should use libpcap.

However, if, in a case where a packet is retransmitted due to an error 
such as that, the server is supposed to log only the *valid* packet, 
then it's not clear using libpcap would provide any advantages.

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.