Re: Strange behavior of pcap filter

["Ian McDonald" <imcdnzl () gmail com>]

On 4/7/06, J S <geekreader () gmail com> wrote:
> Hello,
>
> I am developing an active monitoring system, which implements pcap filter.
>
> The requirement is to send probes with a high monitoring rate e.g. 40 msec
> and the probe packets have data of 12 bytes. For each packet sent by the
> sender the recipient sends a reply packet.
>
>
> I have noticed a strange behavior of the captured packets.
>
>
> I initially started with 10 probe packets sent by the sender with an
> interval of 40 msec between each of them. I used pcap_loop method with a cnt
> of -1. to loop for ever . The pcap filter deployed at each end is supposed
> to  capture 20 packets ( 10 from src to dst and 10 from dst to src and  I am
> only capturing data packets). However I noticed that the number of packets
> captured  are quite less (varied from 13 to 17) . but the total size of the
> pay load i.e. the sum of the payload for all packets is always 240 (12 x 20
> =240).  For some of the packets the size of the payload is 24, or even 48.
>
> When I increased the monitoring rate the payload size even changed to 108
> bytes and the no of packets changed to 10. However in all cases the total
> pay load size of all the packets was exact 240. I know there was no packet
> lost , as I can see them through sockets. I think the number of packets
> captured equaled to 20 when I changed the rate to 1 sec.
I presume you are using TCP/IP here. TCP/IP combines small packets to
make more efficient use of the network. If you use the TCP_NODELAY
socket option it won't do this.

> Is there any way I can capture packets efficiently with rate as  high as 40
> msec?
This should be no problem at all....
--
Ian McDonald
Web: http://wand.net.nz/~iam4
Blog: http://imcdnzl.blogspot.com
WAND Network Research Group
Department of Computer Science
University of Waikato
New Zealand
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.