Re: How to make libpcap work in MMAP mode

[Fabian Schneider <schneifa () net in tum de>]

Hi,

i think you are speaking of the patched version of libpcap available from 
Phil Wood, right?

>     I want to know how to make libpcap(version 0.9.20060417) work in 
>     MMAP mode. Would somebody give me some help? Thanks in advance!

The trick with that version is that it uses the mmaped ringbuffer 
automatically. But you have to make sure, that the programm which uses the 
libpcap is linked against this libpcap and not against any other -- 
official/standard -- libpcap. 

You can check if you are using the correct version by calling you program 
like this: 

PCAP_VERBOSE=1 <programm commandline> 

That produce two additional lines of output (i think stderr, but i am not 
sure) indicating that the mmaped version is used. The official verison of 
libpcap does not support this environment variable and ignores it.  
For tcpdump the output looks like this for example:

> PCAP_VERBOSE=1 tcpdump -i eth1 -w /dev/null host 192.168.0.1   
libpcap version: 0.9.20050810b-mmap-net 
Kernel filter, Protocol 0300, MMAP mode (819200 frames, snapshot 96), socket type: Raw 
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
...

by the way you should additionally use PCAP_FRAMES=max with the mmaped 
version for maximal effeiciency. For more detail take a look at:
http://public.lanl.gov/cpw/ 


   regards
   Fabian Schneider

-- 
Fabian Schneider,  Technische Universität München
address: Boltzmannstr. 3, 85748 Garching b. Münchenn
e-mail: fabian () net in tum de, WWW: http://www.net.in.tum.de/~schneifa 
phone: +49 89 289-18012, mobile: 0179/2427671-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.