tcpdump mailing list archives

Re: Filter complexity and performance

From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 16 Jan 2007 22:58:22 +0000

On 2007-01-15 13:08, Dmitry Rubinstein wrote:

We are trying to capture stuff using a relatively simple filter (on
Linux, using Phil Wood's PCAP with ssldump on top of it). What we want
is basically to capture the traffic to and from a specific port of a
specific host (say, 10.0.0.1:80). So far we did it using the filter
'host 10.0.0.1 and port 80', but obviously that means we also see
traffic originating from 10.0.0.1 to port 80 of other hosts. The simple
way to prevent that would be to use a bit more elaborate filter: '(dst
host 10.0.0.1 and dst port 80) or (src host 10.0.0.1 and src port 80)'.
This means the filter has grown two fold in the number of clauses. What
will be the implications upon the performance of the filtering code?
Will we be able to capture twice as few packets (hopefully not)? I was
hoping to kinda avoid the need to do this test if anyone has already did
some sort of evaluation...


If your packet filter is running in the kernel, reducing the number of
packets you match may actually improve your performance, even though
executing the filter is more work per packet, because you end up
transferring fewer packets from kernel memory to userland. If using a
slightly more complex filter eliminates 90% of the packets, you're
probably winning.

If you want to make that filter a little more efficient, add "ip and tcp
and ((dst host...". This will shorten the resulting BPF code a bit. You
can find the optimal filter with various options and ordering using
tcpdump -d to dump the BPF packet filter.

If you want to estimate the effect on filtering time, you can measure
the number of BPF instructions it takes to process various packets.
Based on a profile of your network traffic you could then estimate the
average number of BPF instructions spent on each packet.

-- 
Jefferson Ogata <Jefferson.Ogata () noaa gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov>
"Never try to retrieve anything from a bear."--National Park Service
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Filter complexity and performance Dmitry Rubinstein (Jan 15)
- Re: Filter complexity and performance Jonathan Gruenhut (Jan 15)
- Re: Filter complexity and performance Fabian Schneider (Jan 15)
- Re: Filter complexity and performance Jefferson Ogata (Jan 16)