tcpdump mailing list archives
Re: Filter complexity and performance
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 16 Jan 2007 22:58:22 +0000
On 2007-01-15 13:08, Dmitry Rubinstein wrote:
We are trying to capture stuff using a relatively simple filter (on Linux, using Phil Wood's PCAP with ssldump on top of it). What we want is basically to capture the traffic to and from a specific port of a specific host (say, 10.0.0.1:80). So far we did it using the filter 'host 10.0.0.1 and port 80', but obviously that means we also see traffic originating from 10.0.0.1 to port 80 of other hosts. The simple way to prevent that would be to use a bit more elaborate filter: '(dst host 10.0.0.1 and dst port 80) or (src host 10.0.0.1 and src port 80)'. This means the filter has grown two fold in the number of clauses. What will be the implications upon the performance of the filtering code? Will we be able to capture twice as few packets (hopefully not)? I was hoping to kinda avoid the need to do this test if anyone has already did some sort of evaluation...
If your packet filter is running in the kernel, reducing the number of packets you match may actually improve your performance, even though executing the filter is more work per packet, because you end up transferring fewer packets from kernel memory to userland. If using a slightly more complex filter eliminates 90% of the packets, you're probably winning. If you want to make that filter a little more efficient, add "ip and tcp and ((dst host...". This will shorten the resulting BPF code a bit. You can find the optimal filter with various options and ordering using tcpdump -d to dump the BPF packet filter. If you want to estimate the effect on filtering time, you can measure the number of BPF instructions it takes to process various packets. Based on a profile of your network traffic you could then estimate the average number of BPF instructions spent on each packet. -- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> "Never try to retrieve anything from a bear."--National Park Service - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Filter complexity and performance Dmitry Rubinstein (Jan 15)
- Re: Filter complexity and performance Jonathan Gruenhut (Jan 15)
- Re: Filter complexity and performance Fabian Schneider (Jan 15)
- Re: Filter complexity and performance Jefferson Ogata (Jan 16)